Edit tour

Windows Analysis Report
http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40

Overview

General Information

Sample URL:	http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40
Analysis ID:	1650588
Infos:

Detection

Phisher

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected Phisher

Performs DNS queries to domains with low reputation

Creates files inside the system directory

Deletes files inside the Windows folder

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1964,i,2471850246389426269,11701980283300173567,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_49	JoeSecurity_Phisher_2	Yara detected Phisher	Joe Security

Suricata Signatures

ETPRO EXPLOIT_KIT FoxTDS Initial Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-27T20:30:19.759443+0100	2859622	1	Exploit Kit Activity Detected	188.132.128.218	80	192.168.2.7	49687	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Address: gin_throttle_mw_7200000000_45.92.229.138X-Ratelimit-Limit: 500X-Ratelimit-Remaining: 496X-Ratelimit-Reset: 1743107456Date: Thu, 27 Mar 2025 19:30:57 GMTContent-Length: 0

Source: chromecache_49.1.dr

String found in binary or memory: https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443

Source: unknown	HTTPS traffic detected: 142.250.81.228:443 -> 192.168.2.7:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 69.30.237.86:443 -> 192.168.2.7:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 69.30.237.86:443 -> 192.168.2.7:49695 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir5792_330100481

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir5792_330100481

Jump to behavior

Source: classification engine

Classification label: mal68.phis.troj.win@22/6@20/4

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1964,i,2471850246389426269,11701980283300173567,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1964,i,2471850246389426269,11701980283300173567,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548	100%	Avira URL Cloud	phishing
http://korsrattell.xyz/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.worldoneonline.com	69.30.237.86	true	false	high
beacons-handoff.gcp.gvt2.com	142.251.116.94	true	false	high
www.google.com	142.250.81.228	true	false	high
korsrattell.xyz	188.132.128.218	true	false	high
beacons.gvt2.com	142.250.81.227	true	false	high
beacons.gcp.gvt2.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40	false		unknown
https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548	false	Avira URL Cloud: phishing	unknown
http://c.pki.goog/r/gsr1.crl	false		high
http://c.pki.goog/r/r4.crl	false		high
http://korsrattell.xyz/favicon.ico	true	Avira URL Cloud: safe	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	false		high
http://korsrattell.xyz/t/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.132.128.218	korsrattell.xyz	Turkey	42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
69.30.237.86	www.worldoneonline.com	United States	32097	WIIUS	false
142.250.81.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1650588
Start date and time:	2025-03-27 20:29:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.phis.troj.win@22/6@20/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): sppsvc.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 142.251.32.110, 142.250.80.67, 142.251.163.84, 142.250.81.238, 23.210.92.197, 142.251.40.131, 4.245.163.56, 23.9.183.29
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (398)
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	5.131460290374407
Encrypted:	false
SSDEEP:	12:8AaJ+dAW1FTWoK9xGixFoBwdNDJNZUSbZkXCABHRsqq+7p:8bJOAWYragNvZUSuzRsqZp
MD5:	0A3E69B8B37A6DF0ACD7E7F5D9D3B854
SHA1:	680DE96CFE2AFF1B030BFBD4A7CFA2529993EA61
SHA-256:	0F3A07F36D6BDDEE418F7D7548BC165B09817E10764A359D2773388CDEC9FF8A
SHA-512:	9C5C0679E082A5776536835110B90436CD6531E3B2C4FC7A15BDCE7F550D6647447C904E68D660FAF81E39C108E17198830E8B133E86D8559180FA6FB5CE25C7
Malicious:	false
Reputation:	low
URL:	http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40
Preview:	<script>.let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");.</script>..<p style="color:gray;">redirect...</p>.

Chrome Cache Entry: 49

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	5.471355015469421
Encrypted:	false
SSDEEP:	6:uIRnXHFmmmULhOzXFV9JQcqgidV/FJKSK1YGLhOzXFV9JQcqgiPed/VMCGYoVL:lXHAx+O5JJqldvpQO5JJqle9IL
MD5:	180D3111BF4B95B105B0AD913DA78812
SHA1:	3541E6C5346CDFF7442403A15A2C69BC1438F1C3
SHA-256:	3D9104A90EFD3BB116EE3BAAC3B392E3DE5C0276BC4F70E133C84779749D690E
SHA-512:	46A1CC7C59E8A471920BDFF03384B16ACB802D865FD88EF9E377891592C8C4573EEEF9F3C3B91791549A310AC10C0E2A89DE0B7BCF1B59026DA9E3487846522C
Malicious:	false
Reputation:	low
URL:	http://korsrattell.xyz/t/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40
Preview:	<script>.setTimeout(function(){. window.location.href = 'https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548'; . console.log('redirecting to https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548');.}, 1000);.</script>.<p></p>.

Chrome Cache Entry: 50

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (879)
Category:	downloaded
Size (bytes):	884
Entropy (8bit):	5.140994617901
Encrypted:	false
SSDEEP:	24:rrgOuPbq/BHslgT1d1uawBATPuoBN2t2t2t2t2t2t2tomffffffo:rrgOu+/KlgJXwBAzuSNYYYYYYYomfffw
MD5:	1871450607ED8315EA3211DF56301424
SHA1:	20798060F8A8D2F95F7921AEFFD86D10D98B3FEA
SHA-256:	ED0D553E726BBDB888F3B942655EF3A60BA948643255F6F1EC85FB833E473F89
SHA-512:	AE731526FCFC93241F301749EAB16DD58054634D53062D85A170A843806107CB388517186C51594307FB5C5D3FD56B074ACF2D966444D0933C9514E6F17C33BA
Malicious:	false
Reputation:	low
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
Preview:	)]}'.["",["paul thomas anderson trailer","delete genetic data 23andme","louisville president schatzel resigns","rockstar games gta 6 release date","atlantic hurricane season","msu hockey tournament","l2 empuraan movie review","chime instant loans"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggesteventid":"3791042092700688870","google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-27T20:30:19.759443+0100	2859622	ETPRO EXPLOIT_KIT FoxTDS Initial Check	1	188.132.128.218	80	192.168.2.7	49687	TCP

Network Port Distribution

Total Packets: 117
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2025 20:30:08.092412949 CET	49674	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:08.092540026 CET	49673	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:08.095788956 CET	49675	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:13.126022100 CET	49676	80	192.168.2.7	23.199.215.203
Mar 27, 2025 20:30:13.126041889 CET	49677	443	192.168.2.7	2.18.98.62
Mar 27, 2025 20:30:15.420516968 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:15.420561075 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:15.420680046 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:15.420849085 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:15.420861006 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:15.618704081 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:15.618885040 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:15.620045900 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:15.620054960 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:15.620466948 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:15.670959949 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:16.348294020 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:16.348530054 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:16.358686924 CET	49689	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:16.358722925 CET	443	49689	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:16.358854055 CET	49689	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:16.360728025 CET	49689	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:16.360739946 CET	443	49689	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:16.578174114 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:16.578248978 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:17.360760927 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:17.587754965 CET	80	49688	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:17.587842941 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:17.705451012 CET	49673	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:17.705459118 CET	49674	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:17.705486059 CET	49675	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:18.256206989 CET	443	49689	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:18.256263018 CET	443	49689	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:18.256331921 CET	49689	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:18.256521940 CET	49689	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:18.256541967 CET	443	49689	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:18.256947994 CET	49690	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:18.256993055 CET	443	49690	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:18.257087946 CET	49690	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:18.257211924 CET	49690	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:18.257224083 CET	443	49690	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:18.815535069 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:18.860270977 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:18.934201956 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:18.936623096 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:18.936676979 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:18.971107006 CET	49686	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:30:18.971132040 CET	443	49686	142.250.81.228	192.168.2.7
Mar 27, 2025 20:30:19.158128977 CET	443	49690	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:19.158157110 CET	443	49690	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:19.158231020 CET	49690	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:19.159899950 CET	49690	443	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:19.159945965 CET	443	49690	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:19.202447891 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:19.431339979 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:19.431682110 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:19.479783058 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:19.529114962 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:19.759443045 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:19.814327002 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:20.516860962 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:20.784570932 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:20.837574959 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:20.884015083 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:21.992352962 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:21.992389917 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:21.992440939 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:21.992647886 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:21.992660999 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:21.993057966 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:21.993083954 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:21.993130922 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:21.993283987 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:21.993292093 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.239423990 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.239499092 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.240941048 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.240955114 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.241235971 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.241497993 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.242388964 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.242474079 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.243350983 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.243360996 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.243679047 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.284271955 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.296967030 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.556210041 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.556309938 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.558156967 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.558187962 CET	443	49694	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:22.558224916 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:22.566080093 CET	49694	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:27.895086050 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:30:27.985615969 CET	80	49698	142.251.41.3	192.168.2.7
Mar 27, 2025 20:30:27.985713005 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:30:27.985897064 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:30:28.076598883 CET	80	49698	142.251.41.3	192.168.2.7
Mar 27, 2025 20:30:28.076947927 CET	80	49698	142.251.41.3	192.168.2.7
Mar 27, 2025 20:30:28.095133066 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:30:28.185807943 CET	80	49698	142.251.41.3	192.168.2.7
Mar 27, 2025 20:30:28.233189106 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:30:28.912853003 CET	49672	443	192.168.2.7	2.23.227.208
Mar 27, 2025 20:30:28.912873030 CET	443	49672	2.23.227.208	192.168.2.7
Mar 27, 2025 20:30:32.355720997 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:32.355782032 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:30:32.355947971 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:30:32.820305109 CET	80	49688	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:32.820357084 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:36.118999004 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:36.119240046 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:40.235291958 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:30:40.548239946 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:30:41.155921936 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:30:42.359035015 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:30:44.765049934 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:30:48.046564102 CET	80	49688	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:48.046618938 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:48.803632021 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:30:49.109265089 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:30:49.577089071 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:30:49.717745066 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:30:50.921279907 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:30:51.348346949 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:30:51.348407984 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:30:53.328140020 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:30:58.140382051 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:30:59.186415911 CET	49671	443	192.168.2.7	204.79.197.203
Mar 27, 2025 20:31:02.593425989 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:31:02.820975065 CET	80	49688	188.132.128.218	192.168.2.7
Mar 27, 2025 20:31:05.842550039 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:31:06.071217060 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:31:07.749452114 CET	49678	443	192.168.2.7	20.189.173.15
Mar 27, 2025 20:31:15.392457008 CET	49710	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:31:15.392492056 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:15.392556906 CET	49710	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:31:15.392748117 CET	49710	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:31:15.392762899 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:15.588069916 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:15.588366032 CET	49710	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:31:15.588376999 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:17.359962940 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:31:17.359983921 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:31:17.875869989 CET	80	49688	188.132.128.218	192.168.2.7
Mar 27, 2025 20:31:17.876250982 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:31:18.049679995 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:31:18.276549101 CET	80	49688	188.132.128.218	192.168.2.7
Mar 27, 2025 20:31:18.276606083 CET	49688	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:31:21.078361988 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:31:21.078403950 CET	49687	80	192.168.2.7	188.132.128.218
Mar 27, 2025 20:31:24.047441006 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:31:24.047461987 CET	443	49695	69.30.237.86	192.168.2.7
Mar 27, 2025 20:31:24.047560930 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:31:24.047560930 CET	49695	443	192.168.2.7	69.30.237.86
Mar 27, 2025 20:31:25.604482889 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:25.604554892 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:25.604634047 CET	49710	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:31:26.047982931 CET	49710	443	192.168.2.7	142.250.81.228
Mar 27, 2025 20:31:26.048000097 CET	443	49710	142.250.81.228	192.168.2.7
Mar 27, 2025 20:31:28.436465979 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:31:28.525588989 CET	80	49698	142.251.41.3	192.168.2.7
Mar 27, 2025 20:31:28.525798082 CET	49698	80	192.168.2.7	142.251.41.3
Mar 27, 2025 20:31:36.306087017 CET	80	49687	188.132.128.218	192.168.2.7
Mar 27, 2025 20:31:36.306312084 CET	49687	80	192.168.2.7	188.132.128.218

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2025 20:30:10.939683914 CET	53	59073	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:11.003848076 CET	53	64545	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:11.892266989 CET	53	52046	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:11.924674034 CET	53	64944	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:15.328526020 CET	50258	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:15.328526020 CET	64479	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:15.419044971 CET	53	50258	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:15.419056892 CET	53	64479	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:16.227334023 CET	51197	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:16.230276108 CET	55795	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:16.268137932 CET	62937	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:16.268373013 CET	50510	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:16.343914032 CET	53	55795	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:16.344357014 CET	53	51197	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:16.357945919 CET	53	62937	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:16.357966900 CET	53	50510	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:21.902324915 CET	56949	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:21.902708054 CET	59451	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:30:21.991486073 CET	53	56949	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:21.991769075 CET	53	59451	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:28.997864962 CET	53	65109	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:47.767416954 CET	53	50019	1.1.1.1	192.168.2.7
Mar 27, 2025 20:30:52.841727972 CET	53	61219	162.159.36.2	192.168.2.7
Mar 27, 2025 20:31:10.260528088 CET	53	50256	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:10.702967882 CET	53	52860	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:20.051075935 CET	56104	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:20.051075935 CET	58889	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:20.141076088 CET	53	56104	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:20.141100883 CET	53	58889	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:21.062694073 CET	54809	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:21.062988043 CET	53338	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:21.152015924 CET	53	54809	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:21.152040005 CET	53	53338	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:23.095802069 CET	60553	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:23.184973001 CET	53	60553	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:24.108516932 CET	60553	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:24.197604895 CET	53	60553	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:25.108906984 CET	60553	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:25.197608948 CET	53	60553	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:27.109261036 CET	60553	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:27.198648930 CET	53	60553	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:31.110740900 CET	60553	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:31.195806980 CET	53	60553	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:36.050122976 CET	53700	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:36.050309896 CET	58257	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:36.136620998 CET	53	53700	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:36.136639118 CET	53	58257	1.1.1.1	192.168.2.7
Mar 27, 2025 20:31:37.062091112 CET	58074	53	192.168.2.7	1.1.1.1
Mar 27, 2025 20:31:37.146414995 CET	53	58074	1.1.1.1	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 27, 2025 20:30:11.892297029 CET	192.168.2.7	1.1.1.1	c1fc	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 27, 2025 20:30:15.328526020 CET	192.168.2.7	1.1.1.1	0x3065	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:15.328526020 CET	192.168.2.7	1.1.1.1	0x17eb	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 27, 2025 20:30:16.227334023 CET	192.168.2.7	1.1.1.1	0x33db	Standard query (0)	korsrattell.xyz	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:16.230276108 CET	192.168.2.7	1.1.1.1	0xa6b0	Standard query (0)	korsrattell.xyz	65	IN (0x0001)	false
Mar 27, 2025 20:30:16.268137932 CET	192.168.2.7	1.1.1.1	0x1dbb	Standard query (0)	korsrattell.xyz	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:16.268373013 CET	192.168.2.7	1.1.1.1	0x7bc3	Standard query (0)	korsrattell.xyz	65	IN (0x0001)	false
Mar 27, 2025 20:30:21.902324915 CET	192.168.2.7	1.1.1.1	0x416f	Standard query (0)	www.worldoneonline.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:21.902708054 CET	192.168.2.7	1.1.1.1	0x79	Standard query (0)	www.worldoneonline.com	65	IN (0x0001)	false
Mar 27, 2025 20:31:20.051075935 CET	192.168.2.7	1.1.1.1	0x6271	Standard query (0)	beacons.gcp.gvt2.com	65	IN (0x0001)	false
Mar 27, 2025 20:31:20.051075935 CET	192.168.2.7	1.1.1.1	0x9f52	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:21.062694073 CET	192.168.2.7	1.1.1.1	0x29b	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:21.062988043 CET	192.168.2.7	1.1.1.1	0x4ab6	Standard query (0)	beacons.gcp.gvt2.com	65	IN (0x0001)	false
Mar 27, 2025 20:31:23.095802069 CET	192.168.2.7	1.1.1.1	0x7dab	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:24.108516932 CET	192.168.2.7	1.1.1.1	0x7dab	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:25.108906984 CET	192.168.2.7	1.1.1.1	0x7dab	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:27.109261036 CET	192.168.2.7	1.1.1.1	0x7dab	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:31.110740900 CET	192.168.2.7	1.1.1.1	0x7dab	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:36.050122976 CET	192.168.2.7	1.1.1.1	0x71b0	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:36.050309896 CET	192.168.2.7	1.1.1.1	0x1b23	Standard query (0)	beacons.gvt2.com	65	IN (0x0001)	false
Mar 27, 2025 20:31:37.062091112 CET	192.168.2.7	1.1.1.1	0x7f68	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 27, 2025 20:30:15.419044971 CET	1.1.1.1	192.168.2.7	0x3065	No error (0)	www.google.com		142.250.81.228	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:15.419056892 CET	1.1.1.1	192.168.2.7	0x17eb	No error (0)	www.google.com			65	IN (0x0001)	false
Mar 27, 2025 20:30:16.344357014 CET	1.1.1.1	192.168.2.7	0x33db	No error (0)	korsrattell.xyz		188.132.128.218	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:16.357945919 CET	1.1.1.1	192.168.2.7	0x1dbb	No error (0)	korsrattell.xyz		188.132.128.218	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:30:21.991486073 CET	1.1.1.1	192.168.2.7	0x416f	No error (0)	www.worldoneonline.com		69.30.237.86	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:20.141076088 CET	1.1.1.1	192.168.2.7	0x6271	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:20.141100883 CET	1.1.1.1	192.168.2.7	0x9f52	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:20.141100883 CET	1.1.1.1	192.168.2.7	0x9f52	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:21.152015924 CET	1.1.1.1	192.168.2.7	0x29b	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:21.152015924 CET	1.1.1.1	192.168.2.7	0x29b	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:21.152040005 CET	1.1.1.1	192.168.2.7	0x4ab6	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:23.184973001 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:23.184973001 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:24.197604895 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:24.197604895 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:25.197608948 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:25.197608948 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:27.198648930 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:27.198648930 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:31.195806980 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2025 20:31:31.195806980 CET	1.1.1.1	192.168.2.7	0x7dab	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.116.94	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:36.136620998 CET	1.1.1.1	192.168.2.7	0x71b0	No error (0)	beacons.gvt2.com		142.250.81.227	A (IP address)	IN (0x0001)	false
Mar 27, 2025 20:31:37.146414995 CET	1.1.1.1	192.168.2.7	0x7f68	No error (0)	beacons.gvt2.com		142.250.81.227	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

korsrattell.xyz

www.worldoneonline.com

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49687	188.132.128.218	80	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Mar 27, 2025 20:30:19.202447891 CET	492	OUT	GET /4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40 HTTP/1.1 Host: korsrattell.xyz Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Mar 27, 2025 20:30:19.431682110 CET	711	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Address: gin_throttle_mw_7200000000_45.92.229.138 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 497 X-Ratelimit-Reset: 1743107456 Date: Thu, 27 Mar 2025 19:30:57 GMT Content-Length: 458 Data Raw: 3c 73 63 72 69 70 74 3e 0a 6c 65 74 20 65 3d 6e 65 77 20 55 52 4c 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 3b 65 2e 70 61 74 68 6e 61 6d 65 3d 22 2f 74 22 2b 65 2e 70 61 74 68 6e 61 6d 65 3b 6c 65 74 20 6f 3d 65 2e 74 6f 53 74 72 69 6e 67 28 29 3b 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 26 26 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 6f 3d 5b 22 67 6f 6f 67 6c 65 62 6f 74 22 2c 22 62 69 6e 67 62 6f 74 22 2c 22 79 61 6e 64 65 78 62 6f 74 22 2c 22 64 75 63 6b 64 75 63 6b 62 6f 74 22 2c 22 73 6c 75 72 70 22 2c 22 62 61 69 64 75 73 70 69 64 65 72 22 2c 22 66 61 63 65 62 6f 74 22 2c 22 69 61 5f 61 72 63 68 69 76 65 72 22 5d 2c 74 3d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2c 6e 3d 30 3b 6e 3c 6f 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 69 66 28 74 2e 69 6e 64 65 78 4f 66 28 6f 5b 6e 5d 29 3e 2d 31 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 3f 73 65 74 54 [TRUNCATED] Data Ascii: <script>let e=new URL(window.location.href);e.pathname="/t"+e.pathname;let o=e.toString();navigator.cookieEnabled&&!function(e){for(var o=["googlebot","bingbot","yandexbot","duckduckbot","slurp","baiduspider","facebot","ia_archiver"],t=e.toLowerCase(),n=0;n<o.length;n++)if(t.indexOf(o[n])>-1)return!0;return!1}(navigator.userAgent)?setTimeout((function(){document.location.href=o}),1e3):console.log("bt");</script><p style="color:gray;">redirect...</p>
Mar 27, 2025 20:30:19.529114962 CET	436	OUT	GET /favicon.ico HTTP/1.1 Host: korsrattell.xyz Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Mar 27, 2025 20:30:19.759443045 CET	259	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Address: gin_throttle_mw_7200000000_45.92.229.138 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 496 X-Ratelimit-Reset: 1743107456 Date: Thu, 27 Mar 2025 19:30:57 GMT Content-Length: 0
Mar 27, 2025 20:30:20.516860962 CET	590	OUT	GET /t/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40 HTTP/1.1 Host: korsrattell.xyz Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Mar 27, 2025 20:30:20.837574959 CET	557	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Address: gin_throttle_mw_7200000000_45.92.229.138 X-Ratelimit-Limit: 500 X-Ratelimit-Remaining: 494 X-Ratelimit-Reset: 1743107456 Date: Thu, 27 Mar 2025 19:30:58 GMT Content-Length: 304 Data Raw: 3c 73 63 72 69 70 74 3e 0a 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 6f 72 6c 64 6f 6e 65 6f 6e 6c 69 6e 65 2e 63 6f 6d 2f 46 42 51 43 54 4b 2f 34 37 39 52 50 36 4c 2f 3f 73 75 62 31 3d 34 30 26 73 75 62 32 3d 31 35 39 2d 32 32 38 33 38 26 73 75 62 33 3d 33 31 33 2d 32 39 38 33 38 2d 33 35 34 38 27 3b 20 0a 20 20 20 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 27 72 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 6f 72 6c 64 6f 6e 65 6f 6e 6c 69 6e 65 2e 63 6f 6d 2f 46 42 51 43 54 4b 2f 34 37 39 52 50 36 4c 2f 3f 73 75 62 31 3d 34 30 26 73 75 62 32 3d 31 35 39 2d 32 32 38 33 38 26 73 75 62 33 3d 33 31 33 2d 32 39 38 33 38 2d 33 35 34 38 27 29 3b 0a 7d 2c 20 31 30 30 30 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 70 3e 3c 2f 70 3e 0a Data Ascii: <script>setTimeout(function(){ window.location.href = 'https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548'; console.log('redirecting to https://www.worldoneonline.com/FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548');}, 1000);</script><p></p>
Mar 27, 2025 20:31:05.842550039 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.7	49698	142.251.41.3	80

Timestamp	Bytes transferred	Direction	Data
Mar 27, 2025 20:30:27.985897064 CET	202	OUT	GET /r/gsr1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 27, 2025 20:30:28.076947927 CET	223	IN	HTTP/1.1 304 Not Modified Date: Thu, 27 Mar 2025 18:53:36 GMT Expires: Thu, 27 Mar 2025 19:43:36 GMT Age: 2212 Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding
Mar 27, 2025 20:30:28.095133066 CET	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 27, 2025 20:30:28.185807943 CET	223	IN	HTTP/1.1 304 Not Modified Date: Thu, 27 Mar 2025 19:03:30 GMT Expires: Thu, 27 Mar 2025 19:53:30 GMT Age: 1618 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49688	188.132.128.218	80	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Mar 27, 2025 20:31:02.593425989 CET	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49686	142.250.81.228	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-27 19:30:18 UTC	575	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIkqHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-27 19:30:18 UTC	1303	IN	HTTP/1.1 200 OK Date: Thu, 27 Mar 2025 19:30:18 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-PdiW41dD0CfDyJN_6UWnkQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Downlink Accept-CH: RTT Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-27 19:30:18 UTC	891	IN	Data Raw: 33 37 34 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 70 61 75 6c 20 74 68 6f 6d 61 73 20 61 6e 64 65 72 73 6f 6e 20 74 72 61 69 6c 65 72 22 2c 22 64 65 6c 65 74 65 20 67 65 6e 65 74 69 63 20 64 61 74 61 20 32 33 61 6e 64 6d 65 22 2c 22 6c 6f 75 69 73 76 69 6c 6c 65 20 70 72 65 73 69 64 65 6e 74 20 73 63 68 61 74 7a 65 6c 20 72 65 73 69 67 6e 73 22 2c 22 72 6f 63 6b 73 74 61 72 20 67 61 6d 65 73 20 67 74 61 20 36 20 72 65 6c 65 61 73 65 20 64 61 74 65 22 2c 22 61 74 6c 61 6e 74 69 63 20 68 75 72 72 69 63 61 6e 65 20 73 65 61 73 6f 6e 22 2c 22 6d 73 75 20 68 6f 63 6b 65 79 20 74 6f 75 72 6e 61 6d 65 6e 74 22 2c 22 6c 32 20 65 6d 70 75 72 61 61 6e 20 6d 6f 76 69 65 20 72 65 76 69 65 77 22 2c 22 63 68 69 6d 65 20 69 6e 73 74 61 6e 74 20 6c 6f 61 6e 73 22 5d 2c 5b Data Ascii: 374)]}'["",["paul thomas anderson trailer","delete genetic data 23andme","louisville president schatzel resigns","rockstar games gta 6 release date","atlantic hurricane season","msu hockey tournament","l2 empuraan movie review","chime instant loans"],[
2025-03-27 19:30:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49694	69.30.237.86	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-27 19:30:22 UTC	750	OUT	GET /FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548 HTTP/1.1 Host: www.worldoneonline.com Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: http://korsrattell.xyz/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-27 19:30:22 UTC	225	IN	HTTP/1.1 204 No Content Server: nginx Date: Thu, 27 Mar 2025 19:30:22 GMT Connection: close Accept-Ch: Sec-Ch-Ua-Platform-Version,Sec-Ch-Ua-Model Vary: Origin X-Eflow-Request-Id: 21ed2b64-fa47-4bbd-b612-9b2687c5e971

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49695	69.30.237.86	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-27 19:30:32 UTC	102	IN	Data Raw: 48 54 54 50 2f 31 2e 30 20 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 0d 0a Data Ascii: HTTP/1.0 408 Request Time-outCache-Control: no-cacheConnection: closeContent-Type: text/html
2025-03-27 19:30:32 UTC	110	IN	Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	15:30:07
Start date:	27/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:30:08
Start date:	27/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1964,i,2471850246389426269,11701980283300173567,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:30:14
Start date:	27/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40"
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Source: http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40	HTTP Parser: No favicon
Source: http://korsrattell.xyz/t/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40	HTTP Parser: No favicon

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIkqHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /FBQCTK/479RP6L/?sub1=40&sub2=159-22838&sub3=313-29838-3548 HTTP/1.1Host: www.worldoneonline.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://korsrattell.xyz/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40 HTTP/1.1Host: korsrattell.xyzConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: korsrattell.xyzConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /t/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40 HTTP/1.1Host: korsrattell.xyzConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: korsrattell.xyz
Source: global traffic	DNS traffic detected: DNS query: www.worldoneonline.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: korsrattell.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: korsrattell.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: korsrattell.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	DNS query: korsrattell.xyz

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 48

Chrome Cache Entry: 49

Chrome Cache Entry: 50

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5792, Parent PID: 3568

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Windows Analysis Report
http://korsrattell.xyz/4aOtHU22838Suwi159gcsfxkvhbv313ZKADSMRFTRQKBHF29838ICNA3548X40