Edit tour

Windows Analysis Report
https://kajec.icu

Overview

General Information

Sample URL:	https://kajec.icu
Analysis ID:	1670493
Infos:

Detection

Score:	0
Range:	0 - 100
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6816 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2064 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5000 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5276 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://kajec.icu" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Apr 2025 17:42:12 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeServer: cloudflareVary: accept-encodingCf-Cache-Status: DYNAMICCF-RAY: 933ead32f9a80a1a-MIAalt-svc: h3=":443"; ma=86400

Source: unknown	HTTPS traffic detected: 192.178.49.164:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.22:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.22:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.68.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.68.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.68.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.68.227
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.68.227
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.68.227
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: kajec.icuConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: kajec.icuConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://kajec.icu/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: kajec.icu

Source: chromecache_41.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/capriola/v14/wXKoE3YSppcvo1PDlk_1JeESnA.woff2)
Source: chromecache_41.4.dr	String found in binary or memory: https://fonts.gstatic.com/s/capriola/v14/wXKoE3YSppcvo1PDlk_7JeE.woff2)

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2064 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5000 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://kajec.icu"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2064 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5000 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://kajec.icu"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	192.178.49.164	true	false		high
kajec.icu	172.67.153.22	true	false		unknown

Name	Malicious	Antivirus Detection	Reputation
http://c.pki.goog/r/r4.crl	false		high
https://kajec.icu/	false		unknown
https://kajec.icu/favicon.ico	false	Avira URL Cloud: safe	unknown

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.153.22	kajec.icu	United States		13335	CLOUDFLARENETUS	false
192.178.49.164	www.google.com	United States		15169	GOOGLEUS	false

IP
192.168.2.6
192.168.2.5

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1670493
Start date and time:	2025-04-21 19:41:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://kajec.icu
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@23/8@4/4

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	271
Entropy (8bit):	5.234124565998564
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR4wq8cXaoD:J0+oxBeRmR9etdzRxGezHDq8ma+
MD5:	8A300C41C0F21B9F81FCD635D24C54A5
SHA1:	886938622D2F612B8174EA5CCF9C7A59B37797A5
SHA-256:	EB26094EDEC47737B5522DD812AD9DD0AD30B371A5BCD978D359DCFE0A889588
SHA-512:	851AC640FDEBCA0E1C750DD05486E3CA234249C78B2E484D61F6B1B3B6F10F94711FC9877E6764AD470EA3F0F4D97003FA56135BD6F6B11854E3B677CF42BDC4
Malicious:	false
Reputation:	low
URL:	https://kajec.icu/favicon.ico
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.58 (Ubuntu) Server at kajec.icu Port 80</address>.</body></html>.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2025 19:41:52.918874025 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 21, 2025 19:41:54.121999025 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 21, 2025 19:41:56.528239965 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 21, 2025 19:42:00.555964947 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:42:00.856374979 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:42:01.373806000 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 21, 2025 19:42:01.465744019 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:42:02.731359959 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:42:05.137409925 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:42:05.178462982 CEST	49697	80	192.168.2.5	142.250.68.227
Apr 21, 2025 19:42:05.326141119 CEST	80	49697	142.250.68.227	192.168.2.5
Apr 21, 2025 19:42:05.326236963 CEST	49697	80	192.168.2.5	142.250.68.227
Apr 21, 2025 19:42:05.326396942 CEST	49697	80	192.168.2.5	142.250.68.227
Apr 21, 2025 19:42:05.474019051 CEST	80	49697	142.250.68.227	192.168.2.5
Apr 21, 2025 19:42:05.474706888 CEST	80	49697	142.250.68.227	192.168.2.5
Apr 21, 2025 19:42:05.518282890 CEST	49697	80	192.168.2.5	142.250.68.227
Apr 21, 2025 19:42:08.265832901 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:08.265866995 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:08.266037941 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:08.266166925 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:08.266180038 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:08.588176012 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:08.588289976 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:08.589590073 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:08.589610100 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:08.589894056 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:08.638175964 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:09.459835052 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.459893942 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.460022926 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.460396051 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.460427046 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.460587025 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.460599899 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.460617065 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.460786104 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.460799932 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.823405981 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.823509932 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.824839115 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.824862957 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.825109959 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.825726986 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.868274927 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.884877920 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.884946108 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.885340929 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.885348082 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.885548115 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:09.929795027 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:09.949771881 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:42:10.623255968 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:10.623313904 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:10.623399019 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:10.623521090 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:10.624535084 CEST	49701	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:10.624553919 CEST	443	49701	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:10.983104944 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 21, 2025 19:42:11.575666904 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:11.620275974 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:12.153162003 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:12.153301954 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:12.153348923 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:12.155780077 CEST	49702	443	192.168.2.5	172.67.153.22
Apr 21, 2025 19:42:12.155797005 CEST	443	49702	172.67.153.22	192.168.2.5
Apr 21, 2025 19:42:17.177856922 CEST	49675	443	192.168.2.5	2.23.227.208
Apr 21, 2025 19:42:17.177886963 CEST	443	49675	2.23.227.208	192.168.2.5
Apr 21, 2025 19:42:17.549974918 CEST	49710	443	192.168.2.5	150.171.27.254
Apr 21, 2025 19:42:17.550009966 CEST	443	49710	150.171.27.254	192.168.2.5
Apr 21, 2025 19:42:17.550107002 CEST	49710	443	192.168.2.5	150.171.27.254
Apr 21, 2025 19:42:17.550951958 CEST	49710	443	192.168.2.5	150.171.27.254
Apr 21, 2025 19:42:17.550965071 CEST	443	49710	150.171.27.254	192.168.2.5
Apr 21, 2025 19:42:17.984761953 CEST	443	49710	150.171.27.254	192.168.2.5
Apr 21, 2025 19:42:17.984831095 CEST	49710	443	192.168.2.5	150.171.27.254
Apr 21, 2025 19:42:18.586381912 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:18.586453915 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:18.586582899 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:19.545780897 CEST	49699	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:42:19.545802116 CEST	443	49699	192.178.49.164	192.168.2.5
Apr 21, 2025 19:42:19.559294939 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 21, 2025 19:43:05.637742043 CEST	49697	80	192.168.2.5	142.250.68.227
Apr 21, 2025 19:43:05.785510063 CEST	80	49697	142.250.68.227	192.168.2.5
Apr 21, 2025 19:43:05.785612106 CEST	49697	80	192.168.2.5	142.250.68.227
Apr 21, 2025 19:43:08.185709000 CEST	49715	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:43:08.185745955 CEST	443	49715	192.178.49.164	192.168.2.5
Apr 21, 2025 19:43:08.185815096 CEST	49715	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:43:08.186028004 CEST	49715	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:43:08.186038017 CEST	443	49715	192.178.49.164	192.168.2.5
Apr 21, 2025 19:43:08.499835014 CEST	443	49715	192.178.49.164	192.168.2.5
Apr 21, 2025 19:43:08.500294924 CEST	49715	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:43:08.500309944 CEST	443	49715	192.178.49.164	192.168.2.5
Apr 21, 2025 19:43:18.510253906 CEST	443	49715	192.178.49.164	192.168.2.5
Apr 21, 2025 19:43:18.510309935 CEST	443	49715	192.178.49.164	192.168.2.5
Apr 21, 2025 19:43:18.510349989 CEST	49715	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:43:18.552705050 CEST	49715	443	192.168.2.5	192.178.49.164
Apr 21, 2025 19:43:18.552728891 CEST	443	49715	192.178.49.164	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2025 19:42:03.970273972 CEST	53	50510	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:03.972007990 CEST	53	62571	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:04.851484060 CEST	53	51388	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:05.132817030 CEST	53	60023	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:08.124011040 CEST	64080	53	192.168.2.5	1.1.1.1
Apr 21, 2025 19:42:08.124250889 CEST	63969	53	192.168.2.5	1.1.1.1
Apr 21, 2025 19:42:08.264203072 CEST	53	64080	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:08.264659882 CEST	53	63969	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:09.285056114 CEST	54455	53	192.168.2.5	1.1.1.1
Apr 21, 2025 19:42:09.285794973 CEST	61093	53	192.168.2.5	1.1.1.1
Apr 21, 2025 19:42:09.457485914 CEST	53	54455	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:09.459031105 CEST	53	61093	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:10.784046888 CEST	53	52920	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:22.160053015 CEST	53	54458	1.1.1.1	192.168.2.5
Apr 21, 2025 19:42:40.935403109 CEST	53	58146	1.1.1.1	192.168.2.5
Apr 21, 2025 19:43:03.421060085 CEST	53	56310	1.1.1.1	192.168.2.5
Apr 21, 2025 19:43:03.533793926 CEST	53	58969	1.1.1.1	192.168.2.5
Apr 21, 2025 19:43:03.644805908 CEST	138	138	192.168.2.5	192.168.2.255
Apr 21, 2025 19:43:06.779014111 CEST	53	62271	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 19:42:05.326396942 CEST	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Apr 21, 2025 19:42:05.474706888 CEST	1243	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="cacerts" Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]} Content-Length: 530 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Mon, 21 Apr 2025 17:18:04 GMT Expires: Mon, 21 Apr 2025 18:08:04 GMT Cache-Control: public, max-age=3000 Age: 1441 Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT Content-Type: application/pkix-crl Vary: Accept-Encoding Data Raw: 30 82 02 0e 30 82 01 93 02 01 01 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 47 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 22 30 20 06 03 55 04 0a 13 19 47 6f 6f 67 6c 65 20 54 72 75 73 74 20 53 65 72 76 69 63 65 73 20 4c 4c 43 31 14 30 12 06 03 55 04 03 13 0b 47 54 53 20 52 6f 6f 74 20 52 34 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 17 0d 32 36 30 32 32 38 30 37 35 39 35 39 5a 30 81 e9 30 2f 02 10 6e 47 a9 ce 4f 46 c2 3d e2 49 ea cc 38 94 53 73 17 0d 31 39 30 39 33 30 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 f0 9c 5b 70 05 a6 dc 86 e2 f9 9e f3 17 0d 32 30 30 31 33 31 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 fe a5 81 44 7e 3b fd 3b b8 1c 24 98 17 0d 32 33 30 36 31 33 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 16 68 25 e1 70 04 40 61 24 91 f5 40 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 00 8e b2 58 e7 b5 94 0c 1f f9 00 44 17 0d 32 35 30 [TRUNCATED] Data Ascii: 000H=0G10UUS1"0 UGoogle Trust Services LLC10UGTS Root R4250403080000Z260228075959Z00/nGOF=I8Ss190930000000Z00U0,[p200131000000Z00U0,D~;;$230613000000Z00U0,h%p@a$@250403080000Z00U0,XD250403080000Z00U/0-0U0U#0LtI6>j0H=i0f1>2en:IN@g=;bQZ~`NX1?^4y[$\4{;$zDeU6O

Timestamp	Bytes transferred	Direction	Data
2025-04-21 17:42:09 UTC	659	OUT	GET / HTTP/1.1 Host: kajec.icu Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-21 17:42:10 UTC	352	IN	HTTP/1.1 200 OK Date: Mon, 21 Apr 2025 17:42:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: cloudflare Last-Modified: Fri, 21 Mar 2025 14:48:14 GMT Etag: W/"8c9-630db5817d269-gzip" Cf-Cache-Status: DYNAMIC Vary: Accept-Encoding CF-RAY: 933ead293d478e66-PDX alt-svc: h3=":443"; ma=86400
2025-04-21 17:42:10 UTC	1017	IN	Data Raw: 38 63 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 43 61 70 72 69 6f 6c 61 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 62 6f 64 79 7b 0d 0a 09 66 6f 6e Data Ascii: 8c9<!DOCTYPE HTML><html><head><title>404</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><link href='//fonts.googleapis.com/css?family=Capriola' rel='stylesheet' type='text/css'><style type="text/css">body{fon
2025-04-21 17:42:10 UTC	1239	IN	Data Raw: 31 34 70 78 3b 0d 0a 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 30 70 78 3b 0d 0a 09 7d 0d 0a 7d 0d 0a 0d 0a 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 39 39 31 70 78 29 20 7b 0d 0a 09 2e 6c 6f 67 6f 20 68 31 20 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 30 70 78 3b 0d 0a 09 7d 0d 0a 7d 0d 0a 09 0d 0a 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 38 70 78 29 20 7b 0d 0a 09 62 6f 64 79 20 7b 0d 0a 09 09 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 0d 0a 09 09 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 0d 0a 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0d 0a 09 09 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0d 0a 09 09 68 65 69 67 68 74 3a 20 31 30 Data Ascii: 14px;line-height: 30px;}}@media (max-width: 991px) {.logo h1 {font-size: 150px;}}@media (max-width: 768px) {body {display:-webkit-flex;display:flex;align-items: center;justify-content: center;height: 10
2025-04-21 17:42:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-04-21 17:42:11 UTC	581	OUT	GET /favicon.ico HTTP/1.1 Host: kajec.icu Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://kajec.icu/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-21 17:42:12 UTC	284	IN	HTTP/1.1 404 Not Found Date: Mon, 21 Apr 2025 17:42:12 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: accept-encoding Cf-Cache-Status: DYNAMIC CF-RAY: 933ead32f9a80a1a-MIA alt-svc: h3=":443"; ma=86400
2025-04-21 17:42:12 UTC	278	IN	Data Raw: 31 30 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6b 61 6a 65 63 2e 69 63 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 Data Ascii: 10f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Ubuntu) Server at kajec.icu Port 80</add
2025-04-21 17:42:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	1
Start time:	13:41:56
Start date:	21/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff768d10000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	13:42:01
Start date:	21/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2064 /prefetch:3
Imagebase:	0x7ff768d10000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	13:42:04
Start date:	21/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2032,i,876960488278925228,1103831399019611287,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5000 /prefetch:8
Imagebase:	0x7ff768d10000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	13:42:07
Start date:	21/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://kajec.icu"
Imagebase:	0x7ff768d10000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://kajec.icu

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 38

Chrome Cache Entry: 39

Chrome Cache Entry: 40

Chrome Cache Entry: 41

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6304, Parent PID: 1360

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

Windows Analysis Report
https://kajec.icu

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre