Edit tour

Windows Analysis Report
https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2N

Overview

General Information

Sample URL:	https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clk
Analysis ID:	1671093
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected suspicious crossdomain redirect

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5608 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5740 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2476,i,12397079564940359209,11217634256923059050,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2452 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://d2xmk204.na1.w3lod.com/kd?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w	Avira URL Cloud: Label: phishing
Source: https://d2xmk204.na1.w3lod.com/redirect?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w&token=aa31a1e866090e7a93046c63ba6cc9e9	Avira URL Cloud: Label: phishing

Source: unknown	HTTPS traffic detected: 142.250.69.4:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.144.78:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.144.78:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.102:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.102:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.52.207:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: wtb-api-hub.swaven.com to https://d2xmk204.na1.w3lod.com/kd?sf=b2mvw7asbszlbj15qc6v72dbteryi2fqavp_eiwmrmp_banhnbaoni5fdmm6gvwoezwlnzn13oknzssi-ji-8w
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	HTTP traffic: Redirect from: d2xmk204.na1.w3lod.com to https://tesla.com

Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH HTTP/1.1Host: wtb-api-hub.swaven.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /kd?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w HTTP/1.1Host: d2xmk204.na1.w3lod.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?token=aa31a1e866090e7a93046c63ba6cc9e9&sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w HTTP/1.1Host: adst.w3lod.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /redirect?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w&token=aa31a1e866090e7a93046c63ba6cc9e9 HTTP/1.1Host: d2xmk204.na1.w3lod.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: connect.sid=s%3AUhPyooqX70RvM8RG5ZGHpud5fWnbVDaO.WPNSr8SLqvnRhoTDGkqqawo2oS4BQOrJPvXYdFmlyhk
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: tesla.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: wtb-api-hub.swaven.com
Source: global traffic	DNS traffic detected: DNS query: d2xmk204.na1.w3lod.com
Source: global traffic	DNS traffic detected: DNS query: adst.w3lod.com
Source: global traffic	DNS traffic detected: DNS query: tesla.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 142.250.69.4:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.144.78:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.154.144.78:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.102:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.102:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.52.207:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: classification engine

Classification label: mal48.win@21/0@10/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2476,i,12397079564940359209,11217634256923059050,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2452 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2476,i,12397079564940359209,11217634256923059050,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2452 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://d2xmk204.na1.w3lod.com/kd?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w	100%	Avira URL Cloud	phishing
https://adst.w3lod.com/?token=aa31a1e866090e7a93046c63ba6cc9e9&sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w	0%	Avira URL Cloud	safe
https://d2xmk204.na1.w3lod.com/redirect?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w&token=aa31a1e866090e7a93046c63ba6cc9e9	100%	Avira URL Cloud	phishing

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
tesla.com	2.18.52.207	true	false	high
adst.w3lod.com	104.26.5.102	true	false	unknown
www.google.com	142.250.69.4	true	false	high
d2hljrvl8gfxid.cloudfront.net	18.154.144.78	true	false	unknown
d2xmk204.na1.w3lod.com	104.26.4.102	true	false	unknown
wtb-api-hub.swaven.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://d2xmk204.na1.w3lod.com/redirect?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w&token=aa31a1e866090e7a93046c63ba6cc9e9	false	Avira URL Cloud: phishing	unknown
https://adst.w3lod.com/?token=aa31a1e866090e7a93046c63ba6cc9e9&sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w	false	Avira URL Cloud: safe	unknown
https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH	false		high
https://d2xmk204.na1.w3lod.com/kd?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w	false	Avira URL Cloud: phishing	unknown
https://tesla.com/	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.69.4	www.google.com	United States	15169	GOOGLEUS	false
104.26.5.102	adst.w3lod.com	United States	13335	CLOUDFLARENETUS	false
2.18.52.207	tesla.com	European Union	33905	AKAMAI-AMSEU	false
18.154.144.78	d2hljrvl8gfxid.cloudfront.net	United States	16509	AMAZON-02US	false
104.26.4.102	d2xmk204.na1.w3lod.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1671093
Start date and time:	2025-04-22 16:20:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr={SWN-SRFR}&rfr={SWN-RFR}&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@21/0@10/8

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.69.14, 142.250.69.3, 142.250.68.238, 142.250.141.84, 199.232.210.172, 192.178.49.195, 142.250.68.227, 184.29.183.29, 52.149.20.212
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

⊘No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 98
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2025 16:21:19.387847900 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 22, 2025 16:21:27.763910055 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:28.201864958 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:28.837466002 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:29.090559959 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 22, 2025 16:21:30.045092106 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:30.439450979 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:30.439487934 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:30.439620972 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:30.439878941 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:30.439894915 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:30.757692099 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:30.757755041 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:30.758865118 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:30.758872032 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:30.759100914 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:30.810714960 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:32.449562073 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:32.919034004 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:32.919065952 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:32.919141054 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:32.919400930 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:32.919430971 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:32.919673920 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:32.919688940 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:32.919709921 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:32.919855118 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:32.919869900 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.223898888 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.223968029 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.224323988 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.224384069 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.225824118 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.225836039 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.226133108 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.227168083 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.227179050 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.227421045 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.227425098 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.272268057 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.279364109 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.963237047 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.963344097 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:33.963435888 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.972198009 CEST	49726	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:21:33.972213030 CEST	443	49726	18.154.144.78	192.168.2.4
Apr 22, 2025 16:21:34.180304050 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.180340052 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.180438042 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.180629969 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.180648088 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.474011898 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.474102020 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.475761890 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.475769043 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.476006031 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.476414919 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.520268917 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.922276974 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.922441006 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:34.922521114 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.923234940 CEST	49727	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:34.923245907 CEST	443	49727	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:35.069820881 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.069849014 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.069925070 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.070044041 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.070059061 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.365164042 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.365240097 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.369169950 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.369187117 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.369493008 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.369752884 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.416311026 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.969382048 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.969455957 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.969521999 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.971113920 CEST	49729	443	192.168.2.4	104.26.5.102
Apr 22, 2025 16:21:35.971127987 CEST	443	49729	104.26.5.102	192.168.2.4
Apr 22, 2025 16:21:35.972035885 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:35.972090006 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:35.972168922 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:35.972341061 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:35.972352982 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.260175943 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.260438919 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:36.260466099 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.260689974 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:36.260695934 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.530710936 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:21:36.755036116 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.755172968 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.755358934 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:36.755713940 CEST	49731	443	192.168.2.4	104.26.4.102
Apr 22, 2025 16:21:36.755738974 CEST	443	49731	104.26.4.102	192.168.2.4
Apr 22, 2025 16:21:36.844193935 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:21:36.920768023 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:21:36.920809984 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:21:36.920902967 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:21:36.924470901 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:21:36.924487114 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:21:37.249608994 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:37.452476978 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:21:37.499874115 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:21:37.499947071 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:21:37.501090050 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:21:37.501100063 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:21:37.501339912 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:21:37.501677036 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:21:37.544265985 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:21:38.657963037 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:21:39.139266968 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.140233040 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.140275002 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.297668934 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.298213959 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.298227072 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.298712969 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.298780918 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.299115896 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.299257040 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.301064968 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.301079988 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.301137924 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.301151037 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.304780006 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.458373070 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.463372946 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.465809107 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.465830088 CEST	443	49710	131.253.33.254	192.168.2.4
Apr 22, 2025 16:21:39.465878963 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:39.465914011 CEST	49710	443	192.168.2.4	131.253.33.254
Apr 22, 2025 16:21:40.786942959 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:40.787014008 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:40.788431883 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:41.064496040 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:21:41.521399975 CEST	49720	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:21:41.521433115 CEST	443	49720	142.250.69.4	192.168.2.4
Apr 22, 2025 16:21:45.874355078 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:21:46.852137089 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 22, 2025 16:21:55.483441114 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 22, 2025 16:22:03.216370106 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:22:03.216497898 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:22:03.216658115 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:22:03.516405106 CEST	49725	443	192.168.2.4	18.154.144.78
Apr 22, 2025 16:22:03.516423941 CEST	443	49725	18.154.144.78	192.168.2.4
Apr 22, 2025 16:22:22.546633959 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:22:22.546664000 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:22:30.356712103 CEST	49742	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:22:30.356750965 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:22:30.356822968 CEST	49742	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:22:30.357075930 CEST	49742	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:22:30.357089043 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:22:30.671616077 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:22:30.671968937 CEST	49742	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:22:30.671989918 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:22:40.673939943 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:22:40.674005985 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:22:40.674052000 CEST	49742	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:22:41.518981934 CEST	49742	443	192.168.2.4	142.250.69.4
Apr 22, 2025 16:22:41.518995047 CEST	443	49742	142.250.69.4	192.168.2.4
Apr 22, 2025 16:23:07.561836958 CEST	49732	443	192.168.2.4	2.18.52.207
Apr 22, 2025 16:23:07.561851978 CEST	443	49732	2.18.52.207	192.168.2.4
Apr 22, 2025 16:23:10.639617920 CEST	49708	443	192.168.2.4	52.113.196.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2025 16:21:27.676055908 CEST	53	63136	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:27.690253973 CEST	53	61494	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:28.828164101 CEST	53	64308	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:30.297518969 CEST	53391	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:30.297734976 CEST	60990	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:30.437845945 CEST	53	53391	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:30.437866926 CEST	53	60990	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:32.755454063 CEST	63302	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:32.755769968 CEST	56028	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:32.910146952 CEST	53	56028	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:32.917418003 CEST	53	63302	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:33.973500967 CEST	50636	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:33.973733902 CEST	51938	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:34.162167072 CEST	53	51938	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:34.179441929 CEST	53	50636	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:34.925270081 CEST	60059	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:34.925647974 CEST	51617	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:35.069224119 CEST	53	51617	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:35.069241047 CEST	53	60059	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:36.757749081 CEST	60112	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:36.757944107 CEST	51035	53	192.168.2.4	1.1.1.1
Apr 22, 2025 16:21:36.912414074 CEST	53	51035	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:36.920181036 CEST	53	60112	1.1.1.1	192.168.2.4
Apr 22, 2025 16:21:45.920293093 CEST	53	55835	1.1.1.1	192.168.2.4
Apr 22, 2025 16:22:04.935847998 CEST	53	49952	1.1.1.1	192.168.2.4
Apr 22, 2025 16:22:27.079408884 CEST	53	51602	1.1.1.1	192.168.2.4
Apr 22, 2025 16:22:27.514681101 CEST	53	50117	1.1.1.1	192.168.2.4
Apr 22, 2025 16:22:29.029088974 CEST	53	65125	1.1.1.1	192.168.2.4
Apr 22, 2025 16:22:35.959043980 CEST	138	138	192.168.2.4	192.168.2.255
Apr 22, 2025 16:22:57.091176987 CEST	53	55534	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 22, 2025 16:21:30.297518969 CEST	192.168.2.4	1.1.1.1	0x194c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:30.297734976 CEST	192.168.2.4	1.1.1.1	0xdf65	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 22, 2025 16:21:32.755454063 CEST	192.168.2.4	1.1.1.1	0x6e89	Standard query (0)	wtb-api-hub.swaven.com	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:32.755769968 CEST	192.168.2.4	1.1.1.1	0x3afc	Standard query (0)	wtb-api-hub.swaven.com	65	IN (0x0001)	false
Apr 22, 2025 16:21:33.973500967 CEST	192.168.2.4	1.1.1.1	0xe2f0	Standard query (0)	d2xmk204.na1.w3lod.com	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:33.973733902 CEST	192.168.2.4	1.1.1.1	0x62c9	Standard query (0)	d2xmk204.na1.w3lod.com	65	IN (0x0001)	false
Apr 22, 2025 16:21:34.925270081 CEST	192.168.2.4	1.1.1.1	0x15e0	Standard query (0)	adst.w3lod.com	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:34.925647974 CEST	192.168.2.4	1.1.1.1	0x512e	Standard query (0)	adst.w3lod.com	65	IN (0x0001)	false
Apr 22, 2025 16:21:36.757749081 CEST	192.168.2.4	1.1.1.1	0xce85	Standard query (0)	tesla.com	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.757944107 CEST	192.168.2.4	1.1.1.1	0xfb3d	Standard query (0)	tesla.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 22, 2025 16:21:30.437845945 CEST	1.1.1.1	192.168.2.4	0x194c	No error (0)	www.google.com		142.250.69.4	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:30.437866926 CEST	1.1.1.1	192.168.2.4	0xdf65	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 22, 2025 16:21:32.910146952 CEST	1.1.1.1	192.168.2.4	0x3afc	No error (0)	wtb-api-hub.swaven.com	d2hljrvl8gfxid.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 22, 2025 16:21:32.917418003 CEST	1.1.1.1	192.168.2.4	0x6e89	No error (0)	wtb-api-hub.swaven.com	d2hljrvl8gfxid.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 22, 2025 16:21:32.917418003 CEST	1.1.1.1	192.168.2.4	0x6e89	No error (0)	d2hljrvl8gfxid.cloudfront.net		18.154.144.78	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:32.917418003 CEST	1.1.1.1	192.168.2.4	0x6e89	No error (0)	d2hljrvl8gfxid.cloudfront.net		18.154.144.80	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:32.917418003 CEST	1.1.1.1	192.168.2.4	0x6e89	No error (0)	d2hljrvl8gfxid.cloudfront.net		18.154.144.122	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:32.917418003 CEST	1.1.1.1	192.168.2.4	0x6e89	No error (0)	d2hljrvl8gfxid.cloudfront.net		18.154.144.96	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:34.162167072 CEST	1.1.1.1	192.168.2.4	0x62c9	No error (0)	d2xmk204.na1.w3lod.com			65	IN (0x0001)	false
Apr 22, 2025 16:21:34.179441929 CEST	1.1.1.1	192.168.2.4	0xe2f0	No error (0)	d2xmk204.na1.w3lod.com		104.26.4.102	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:34.179441929 CEST	1.1.1.1	192.168.2.4	0xe2f0	No error (0)	d2xmk204.na1.w3lod.com		104.26.5.102	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:34.179441929 CEST	1.1.1.1	192.168.2.4	0xe2f0	No error (0)	d2xmk204.na1.w3lod.com		172.67.74.105	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:35.069224119 CEST	1.1.1.1	192.168.2.4	0x512e	No error (0)	adst.w3lod.com			65	IN (0x0001)	false
Apr 22, 2025 16:21:35.069241047 CEST	1.1.1.1	192.168.2.4	0x15e0	No error (0)	adst.w3lod.com		104.26.5.102	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:35.069241047 CEST	1.1.1.1	192.168.2.4	0x15e0	No error (0)	adst.w3lod.com		104.26.4.102	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:35.069241047 CEST	1.1.1.1	192.168.2.4	0x15e0	No error (0)	adst.w3lod.com		172.67.74.105	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.52.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		23.7.244.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.53.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.55.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.48.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.49.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.51.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.50.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		23.40.100.207	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:21:36.920181036 CEST	1.1.1.1	192.168.2.4	0xce85	No error (0)	tesla.com		2.18.54.207	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

wtb-api-hub.swaven.com

d2xmk204.na1.w3lod.com

adst.w3lod.com

tesla.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49726	18.154.144.78	443	5740	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:21:33 UTC	1380	OUT	GET /wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH HTTP/1.1 Host: wtb-api-hub.swaven.com Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-22 14:21:33 UTC	587	IN	HTTP/1.1 302 Found Transfer-Encoding: chunked Connection: close Date: Tue, 22 Apr 2025 14:21:33 GMT Pragma: no-cache Location: https://d2xmk204.na1.w3lod.com/kd?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w Server: nginx Cache-Control: private, no-cache, no-store, must-revalidate Cache-Control: no-store, must-revalidate Expires: -1 X-Cache: Miss from cloudfront Via: 1.1 ec08482029069777482bed995460bf64.cloudfront.net (CloudFront) X-Amz-Cf-Pop: LAX50-P4 X-Amz-Cf-Id: BkLHoF2IeE1DQgnVqcmOxD_mF_t48D6UiD4xhBPmWaF-Iqq7Z23MAQ==
2025-04-22 14:21:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49727	104.26.4.102	443	5740	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:21:34 UTC	764	OUT	GET /kd?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w HTTP/1.1 Host: d2xmk204.na1.w3lod.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-22 14:21:34 UTC	1361	IN	HTTP/1.1 302 Found Date: Tue, 22 Apr 2025 14:21:34 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin location: https://adst.w3lod.com/?token=aa31a1e866090e7a93046c63ba6cc9e9&sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w origin-agent-cluster: ?1 referrer-policy: no-referrer rndr-id: 9b6d3e54-cc2a-4eeb Set-Cookie: connect.sid=s%3AUhPyooqX70RvM8RG5ZGHpud5fWnbVDaO.WPNSr8SLqvnRhoTDGkqqawo2oS4BQOrJPvXYdFmlyhk; Path=/; HttpOnly strict-transport-security: max-age=31536000; includeSubDomains vary: Accept vary: Accept-Encoding x-content-type-options: nosniff x-dns-prefetch-control: off x-download-options: noopen x-frame-options: SAMEORIGIN x-permitted-cross-domain-policies: none x-ratelimit-limit: 50 x-ratelimit-remaining: 48 x-ratelimit-reset: 1745331741 x-render-origin-server: Render x-xss-protection: 0 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IqvG1JK%2BcDH%2FXpSdCmwRDQIIatThxM4FVF9fNRozO1mOWZcDNImtDYmfCoj9nLwtDxi7vaKLKUipOTWEWItKgYVAcc%2BMCEPkLqfAB9HFCZ3mAsxQdH1%2FGMglBOxy5PxR0qPKkk%2F11%2F4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
2025-04-22 14:21:34 UTC	270	IN	Data Raw: 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 39 33 34 35 63 34 62 34 30 66 64 36 64 32 63 30 2d 50 48 58 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 33 39 39 30 30 26 6d 69 6e 5f 72 74 74 3d 31 33 39 38 37 31 26 72 74 74 5f 76 61 72 3d 32 39 35 34 39 26 73 65 6e 74 3d 36 26 72 65 63 76 3d 38 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 33 30 26 72 65 63 76 5f 62 79 74 65 73 3d 31 33 33 36 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 38 38 34 38 26 63 77 6e 64 3d 32 35 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 35 38 66 65 66 32 66 39 35 35 36 38 33 62 36 36 26 Data Ascii: Server: cloudflareCF-RAY: 9345c4b40fd6d2c0-PHXserver-timing: cfL4;desc="?proto=TCP&rtt=139900&min_rtt=139871&rtt_var=29549&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1336&delivery_rate=28848&cwnd=252&unsent_bytes=0&cid=58fef2f955683b66&
2025-04-22 14:21:34 UTC	191	IN	Data Raw: 62 39 0d 0a 3c 70 3e 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 61 64 73 74 2e 77 33 6c 6f 64 2e 63 6f 6d 2f 3f 74 6f 6b 65 6e 3d 61 61 33 31 61 31 65 38 36 36 30 39 30 65 37 61 39 33 30 34 36 63 36 33 62 61 36 63 63 39 65 39 26 61 6d 70 3b 73 66 3d 62 32 4d 76 77 37 61 53 42 53 5a 4c 42 6a 31 35 71 43 36 76 37 32 64 42 54 45 72 79 69 32 46 71 61 56 70 5f 65 69 77 6d 72 6d 50 5f 42 41 6e 48 4e 42 61 4f 4e 69 35 46 64 4d 6d 36 67 76 77 4f 65 7a 77 4c 6e 7a 6e 31 33 4f 6b 4e 5a 73 53 69 2d 6a 69 2d 38 77 3c 2f 70 3e 0d 0a Data Ascii: b9<p>Found. Redirecting to https://adst.w3lod.com/?token=aa31a1e866090e7a93046c63ba6cc9e9&sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w</p>
2025-04-22 14:21:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49729	104.26.5.102	443	5740	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:21:35 UTC	793	OUT	GET /?token=aa31a1e866090e7a93046c63ba6cc9e9&sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w HTTP/1.1 Host: adst.w3lod.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-22 14:21:35 UTC	966	IN	HTTP/1.1 302 Found Date: Tue, 22 Apr 2025 14:21:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store cf-cache-status: DYNAMIC Location: https://d2xmk204.na1.w3lod.com/redirect?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w&token=aa31a1e866090e7a93046c63ba6cc9e9 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H9LvjzmPiO2%2BpCTs4AcPu%2Fpwaa%2FnpJTBzR1sOICGE4ETZD9LzzspkyBt7iMv3kwy8KBpT0xVS9tMG8gfVKvbMI0a2PpfWC%2BBsOuzlX59FxZUYA9KSjrIaclpngxeMwPN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9345c4b99a8297fd-PHX server-timing: cfL4;desc="?proto=TCP&rtt=139919&min_rtt=139869&rtt_var=29583&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2819&recv_bytes=1365&delivery_rate=28833&cwnd=252&unsent_bytes=0&cid=95d0790be94cfab1&ts=618&x=0"
2025-04-22 14:21:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49731	104.26.4.102	443	5740	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:21:36 UTC	911	OUT	GET /redirect?sf=b2Mvw7aSBSZLBj15qC6v72dBTEryi2FqaVp_eiwmrmP_BAnHNBaONi5FdMm6gvwOezwLnzn13OkNZsSi-ji-8w&token=aa31a1e866090e7a93046c63ba6cc9e9 HTTP/1.1 Host: d2xmk204.na1.w3lod.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: connect.sid=s%3AUhPyooqX70RvM8RG5ZGHpud5fWnbVDaO.WPNSr8SLqvnRhoTDGkqqawo2oS4BQOrJPvXYdFmlyhk
2025-04-22 14:21:36 UTC	1368	IN	HTTP/1.1 302 Found Date: Tue, 22 Apr 2025 14:21:36 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin location: https://tesla.com origin-agent-cluster: ?1 referrer-policy: no-referrer rndr-id: 030f0322-5950-4873 strict-transport-security: max-age=31536000; includeSubDomains vary: Accept vary: Accept-Encoding x-content-type-options: nosniff x-dns-prefetch-control: off x-download-options: noopen x-frame-options: SAMEORIGIN x-permitted-cross-domain-policies: none x-ratelimit-limit: 50 x-ratelimit-remaining: 49 x-ratelimit-reset: 1745331757 x-render-origin-server: Render x-xss-protection: 0 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cak8%2FbIfio3Lt%2FrI4qiPh1DLT3MycOefCuBrPUDd%2FOoXkg17arZKtEa2VzRE0%2FPPCCkd9YUPeO0tp2S9SLYtGOUldsglqhvL4bZWPf1wwOhRLhP43PObmktvMbt4e7GLw5ohUONXvhk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9345c4bf3d6f1dc2-PHX server-timing: cfL4;desc="?proto=TCP&rtt=139840&min_rtt=139751&rtt_var=29620&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1483&delivery_rate=28826&cwnd=252&unsent_bytes=0&cid=8735992b610b331c&ts=501&x=0"
2025-04-22 14:21:36 UTC	1	IN	Data Raw: 32 Data Ascii: 2
2025-04-22 14:21:36 UTC	51	IN	Data Raw: 65 0d 0a 3c 70 3e 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 74 65 73 6c 61 2e 63 6f 6d 3c 2f 70 3e 0d 0a Data Ascii: e<p>Found. Redirecting to https://tesla.com</p>
2025-04-22 14:21:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49732	2.18.52.207	443	5740	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:21:37 UTC	659	OUT	GET / HTTP/1.1 Host: tesla.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5608, Parent PID: 3784

Function Logs

General

Target ID:	1
Start time:	10:21:23
Start date:	22/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5740, Parent PID: 5608

Function Logs

General

Target ID:	2
Start time:	10:21:25
Start date:	22/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2476,i,12397079564940359209,11217634256923059050,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2452 /prefetch:3
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6800, Parent PID: 3784

Function Logs

General

Target ID:	4
Start time:	10:21:32
Start date:	22/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://wtb-api-hub.swaven.com/wtb/v3/outbound_click?wtbid=63ff2f752967f260f2a2ee25&module=wtb&touchpoint=ST&lang=en&sid=851_WEB&avpid=9300657021863&prc=6.00&prc_currency=AUD&clkurlt=3&clkurlaff=1&clkurlaff_prgid=11637&url=aHR0cHM6Ly9kMnhtazIwNC5uYTEudzNsb2QuY29tL2tkP3NmPWIyTXZ3N2FTQlNaTEJqMTVxQzZ2NzJkQlRFcnlpMkZxYVZwX2Vpd21ybVBfQkFuSE5CYU9OaTVGZE1tNmd2d09lendMbnpuMTNPa05ac1NpLWppLTh3&v=1689090747277&s_url=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&rfr2=https%3A%2F%2Fwww.heinz.com.au%2Fmayo%2Fproduct%2F9300657021863%2Fheinz-seriously-good-original-mayonnaise-500ml&s_rfr=%7BSWN-SRFR%7D&rfr=%7BSWN-RFR%7D&url_to=aHR0cHM6Ly93d3cuYW1hem9uLmNvbS5hdS9kcC9CMDdQN0w1TThH"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5608, Parent PID: 3784

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

COM Activities

WMI Operations

Process Activities

Process Created

Process Terminated

Thread Activities