Edit tour

Windows Analysis Report
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Overview

General Information

Sample URL:	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Analysis ID:	797273
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Antivirus detection for URL or domain

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 4380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1772,i,6423684000954109881,8004862400930351413,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Snort Signatures

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.16.173.80 - Destination IP: 192.168.2.3

Timestamp:	104.16.173.80192.168.2.380497262031515 02/02/23-19:18:20.079131
SID:	2031515
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	Misc activity

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.3 - Destination IP: 104.16.173.80

Timestamp:	192.168.2.3104.16.173.8049728802024298 02/02/23-19:18:18.424120
SID:	2024298
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 1.1.1.1

Timestamp:	192.168.2.31.1.1.162191532024291 02/02/23-19:18:18.329950
SID:	2024291
Source Port:	62191
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.3 - Destination IP: 104.16.173.80

Timestamp:	192.168.2.3104.16.173.8049726802024298 02/02/23-19:18:20.044823
SID:	2024298
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.16.173.80 - Destination IP: 192.168.2.3

Timestamp:	104.16.173.80192.168.2.380497282031515 02/02/23-19:18:18.456828
SID:	2031515
Source Port:	80
Destination Port:	49728
Protocol:	TCP
Classtype:	Misc activity

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+620; __Secure-ENID=6.SE=cJKCBuSaL1dV3R8z2Y2al7-m2m5bGA74lqbYYkqC3uy-NtZ1f6n_bCBr25tlnnjvdmLpGQ81ZKzP3Te5vVjpSQjYWCwvlOMApK7tmZNWcORu0p4wniPJGQfTslQNnpQWhG9qkwkEgy49-6UG3UQ1eiUyFolJZWLeUM1p4KvjM9E

Source: classification engine

Classification label: mal80.win@24/0@9/9

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1772,i,6423684000954109881,8004862400930351413,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1772,i,6423684000954109881,8004862400930351413,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	10%	Virustotal		Browse
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	100%	Avira URL Cloud	malware

Source	Detection	Scanner	Label	Link
http://static.kryptoslogicsinkhole.com/style.css	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	10%	Virustotal		Browse
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico	13%	Virustotal		Browse
http://static.kryptoslogicsinkhole.com/style.css	0%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	true	true	unknown
accounts.google.com	142.250.181.237	true	false	high
www.kryptoslogic.com	188.114.96.3	true	false	unknown
www.google.com	142.250.186.36	true	false	high
clients.l.google.com	172.217.18.14	true	false	high
static.kryptoslogicsinkhole.com	35.237.128.253	true	false	unknown
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://static.kryptoslogicsinkhole.com/style.css	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	true	10%, Virustotal, Browse	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	true	10%, Virustotal, Browse	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.237	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.16.173.80	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	United States	13335	CLOUDFLARENETUS	true
35.237.128.253	static.kryptoslogicsinkhole.com	United States	15169	GOOGLEUS	false
142.250.186.164	unknown	United States	15169	GOOGLEUS	false
142.250.184.228	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	797273
Start date and time:	2023-02-02 19:17:42 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.win@24/0@9/9
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.23, 20.190.159.71, 20.190.159.75, 40.126.31.67, 40.126.31.71, 20.190.159.0, 20.190.159.2, 40.126.31.69, 142.250.184.195, 34.104.35.123, 142.250.186.138, 142.250.181.227, 172.217.18.3, 172.217.18.99
Excluded domains from analysis (whitelisted): fonts.googleapis.com, prda.aadg.msidentity.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, login.live.com, fonts.gstatic.com, www.tm.lg.prod.aadmsa.akadns.net, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
104.16.173.80192.168.2.380497262031515 02/02/23-19:18:20.079131	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49726	104.16.173.80	192.168.2.3
192.168.2.3104.16.173.8049728802024298 02/02/23-19:18:18.424120	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49728	80	192.168.2.3	104.16.173.80
192.168.2.31.1.1.162191532024291 02/02/23-19:18:18.329950	UDP	2024291	ET TROJAN Possible WannaCry DNS Lookup 1	62191	53	192.168.2.3	1.1.1.1
192.168.2.3104.16.173.8049726802024298 02/02/23-19:18:20.044823	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49726	80	192.168.2.3	104.16.173.80
104.16.173.80192.168.2.380497282031515 02/02/23-19:18:18.456828	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49728	104.16.173.80	192.168.2.3

Network Port Distribution

Total Packets: 77
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 2, 2023 19:18:18.395656109 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:18.395756006 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:18.395988941 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:18.396017075 CET	49726	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.397485018 CET	49728	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.400983095 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:18.401010990 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:18.413472891 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.413672924 CET	49726	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.414623022 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.414784908 CET	49728	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.424119949 CET	49728	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.441734076 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.456828117 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.456871033 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.456895113 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.456916094 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.457089901 CET	49728	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.457089901 CET	49728	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.467292070 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:18.508508921 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:18.578598976 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:18.578629971 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:18.583076000 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:18.583147049 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:18.644114971 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:18.644176006 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:18.644309998 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:18.646497011 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:18.646547079 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:18.647753954 CET	49728	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:18.665182114 CET	80	49728	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:18.712037086 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:18.733273983 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:18.733309031 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:18.734713078 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:18.734841108 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:18.736865044 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:18.736973047 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:19.047307014 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.049806118 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:19.049874067 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.050259113 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.050618887 CET	49731	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.053124905 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:19.053214073 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:19.053488016 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:19.057630062 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:19.057672977 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.057981014 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:19.058005095 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:19.087688923 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.087878942 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:19.087920904 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.087955952 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.088027954 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:19.097786903 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:19.099672079 CET	49729	443	192.168.2.3	172.217.18.14
Feb 2, 2023 19:18:19.099730015 CET	443	49729	172.217.18.14	192.168.2.3
Feb 2, 2023 19:18:19.106343985 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:19.106718063 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:19.106823921 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:19.118191957 CET	49725	443	192.168.2.3	142.250.181.237
Feb 2, 2023 19:18:19.118238926 CET	443	49725	142.250.181.237	192.168.2.3
Feb 2, 2023 19:18:19.195686102 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.195940018 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.196187019 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.197233915 CET	80	49731	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.197380066 CET	49731	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.343385935 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343478918 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343511105 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343539953 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343576908 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343611956 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343616009 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.343616009 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.343646049 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343677998 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343696117 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.343710899 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343741894 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343756914 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:19.343781948 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:18:19.343828917 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:18:20.044822931 CET	49726	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:20.062052965 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:20.079130888 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:20.079200983 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:20.079272985 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:20.079323053 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:20.079363108 CET	49726	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:20.079426050 CET	49726	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:20.105846882 CET	49726	80	192.168.2.3	104.16.173.80
Feb 2, 2023 19:18:20.123349905 CET	80	49726	104.16.173.80	192.168.2.3
Feb 2, 2023 19:18:22.225872040 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.225950956 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.226097107 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.226541042 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.226587057 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.293231010 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.293590069 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.293641090 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.294946909 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.295037985 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.297538042 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.297555923 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.297665119 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.487941980 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:22.488002062 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:22.587667942 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:32.281512976 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:32.281680107 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:18:32.281774998 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:32.306654930 CET	49740	443	192.168.2.3	142.250.186.164
Feb 2, 2023 19:18:32.306713104 CET	443	49740	142.250.186.164	192.168.2.3
Feb 2, 2023 19:19:04.202253103 CET	49731	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:19:04.348928928 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:19:04.350020885 CET	80	49731	35.237.128.253	192.168.2.3
Feb 2, 2023 19:19:04.496339083 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:19:19.373745918 CET	80	49731	35.237.128.253	192.168.2.3
Feb 2, 2023 19:19:19.374013901 CET	49731	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:19:20.309705973 CET	49731	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:19:20.456569910 CET	80	49731	35.237.128.253	192.168.2.3
Feb 2, 2023 19:19:22.289081097 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:22.289174080 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.289273977 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:22.289633036 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:22.289654970 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.343441963 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.344579935 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:22.344643116 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.345801115 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.346796989 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:22.346832991 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.347070932 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:22.388812065 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:24.344635010 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:19:24.344866991 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:19:26.310775995 CET	49730	80	192.168.2.3	35.237.128.253
Feb 2, 2023 19:19:26.458137989 CET	80	49730	35.237.128.253	192.168.2.3
Feb 2, 2023 19:19:32.330537081 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:32.330676079 CET	443	49802	142.250.184.228	192.168.2.3
Feb 2, 2023 19:19:32.330763102 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:34.310729980 CET	49802	443	192.168.2.3	142.250.184.228
Feb 2, 2023 19:19:34.311048031 CET	443	49802	142.250.184.228	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 2, 2023 19:18:18.329950094 CET	62191	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:18.330670118 CET	65492	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:18.338746071 CET	56471	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:18.348231077 CET	53	65492	1.1.1.1	192.168.2.3
Feb 2, 2023 19:18:18.348309994 CET	53	62191	1.1.1.1	192.168.2.3
Feb 2, 2023 19:18:18.356302023 CET	53	56471	1.1.1.1	192.168.2.3
Feb 2, 2023 19:18:18.771958113 CET	51919	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:18.778460979 CET	61239	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:18.810137987 CET	53	51919	1.1.1.1	192.168.2.3
Feb 2, 2023 19:18:18.947875023 CET	53	61239	1.1.1.1	192.168.2.3
Feb 2, 2023 19:18:22.185204983 CET	64745	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:22.202933073 CET	53	64745	1.1.1.1	192.168.2.3
Feb 2, 2023 19:18:22.207252979 CET	51619	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:18:22.224942923 CET	53	51619	1.1.1.1	192.168.2.3
Feb 2, 2023 19:19:22.244270086 CET	62347	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:19:22.262190104 CET	53	62347	1.1.1.1	192.168.2.3
Feb 2, 2023 19:19:22.268009901 CET	53092	53	192.168.2.3	1.1.1.1
Feb 2, 2023 19:19:22.285751104 CET	53	53092	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 2, 2023 19:18:18.329950094 CET	192.168.2.3	1.1.1.1	0xb691	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.330670118 CET	192.168.2.3	1.1.1.1	0xd2f7	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.338746071 CET	192.168.2.3	1.1.1.1	0x676e	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.771958113 CET	192.168.2.3	1.1.1.1	0xf4b8	Standard query (0)	www.kryptoslogic.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.778460979 CET	192.168.2.3	1.1.1.1	0xc386	Standard query (0)	static.kryptoslogicsinkhole.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:22.185204983 CET	192.168.2.3	1.1.1.1	0x579d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:22.207252979 CET	192.168.2.3	1.1.1.1	0xb69f	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:19:22.244270086 CET	192.168.2.3	1.1.1.1	0x398b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:19:22.268009901 CET	192.168.2.3	1.1.1.1	0x9561	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 2, 2023 19:18:18.348231077 CET	1.1.1.1	192.168.2.3	0xd2f7	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 2, 2023 19:18:18.348231077 CET	1.1.1.1	192.168.2.3	0xd2f7	No error (0)	clients.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.348309994 CET	1.1.1.1	192.168.2.3	0xb691	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.173.80	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.348309994 CET	1.1.1.1	192.168.2.3	0xb691	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.17.244.81	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.356302023 CET	1.1.1.1	192.168.2.3	0x676e	No error (0)	accounts.google.com		142.250.181.237	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.810137987 CET	1.1.1.1	192.168.2.3	0xf4b8	No error (0)	www.kryptoslogic.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.810137987 CET	1.1.1.1	192.168.2.3	0xf4b8	No error (0)	www.kryptoslogic.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:18.947875023 CET	1.1.1.1	192.168.2.3	0xc386	No error (0)	static.kryptoslogicsinkhole.com		35.237.128.253	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:22.202933073 CET	1.1.1.1	192.168.2.3	0x579d	No error (0)	www.google.com		142.250.186.36	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:18:22.224942923 CET	1.1.1.1	192.168.2.3	0xb69f	No error (0)	www.google.com		142.250.186.164	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:19:22.262190104 CET	1.1.1.1	192.168.2.3	0x398b	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)	false
Feb 2, 2023 19:19:22.285751104 CET	1.1.1.1	192.168.2.3	0x9561	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clients2.google.com

accounts.google.com

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

static.kryptoslogicsinkhole.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49729	172.217.18.14	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49725	142.250.181.237	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49728	104.16.173.80	80	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
Feb 2, 2023 19:18:18.424119949 CET	25	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Feb 2, 2023 19:18:18.456828117 CET	25	IN	HTTP/1.1 200 OK Date: Thu, 02 Feb 2023 18:18:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: cloudflare CF-RAY: 7934edb928cfbbb9-FRA Content-Encoding: gzip Data Raw: 31 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6c 52 c1 6e db 30 0c fd 15 96 e7 39 5a 6e c5 20 e9 b2 f6 b4 01 1b d0 5e 76 94 25 26 62 23 4b 86 c9 c6 f5 df 0f 6e 12 ac 1e 7a 21 44 8a 8f 8f 7a 4f f6 ee e1 d7 f7 e7 3f bf 1f 21 eb 50 bc 5d 23 94 50 8f 0e a9 76 af 82 10 4b 10 71 58 5b f7 22 e8 6d a6 90 bc 1d 48 03 c4 1c 26 21 75 f8 aa 87 ee 1e bd 55 d6 42 fe 89 eb 29 b7 42 09 fa 05 7e 4c cb a8 4d e0 67 3b 72 b4 e6 d2 71 81 d7 30 90 c3 44 12 27 1e 95 5b 45 88 ad 2a 55 75 b8 81 c1 6d 22 6e 90 67 a6 79 6c 93 7e 80 cd 9c 34 bb 44 67 8e d4 bd 27 5f 80 2b 2b 87 d2 49 0c 85 dc 7e f7 15 bd 2d 5c 4f 90 27 3a 38 34 46 34 28 c7 dd e9 42 59 56 46 b9 12 ee 62 1b 8c e8 b2 9e 44 10 26 2a 0e df 73 c9 44 8a a0 cb 48 0e 95 de d4 ac 0d c6 5b 73 11 a8 6f 69 b9 49 77 28 41 d1 db c4 e7 5b e5 ba f0 a7 c5 ae 6f 6f db 8b 9e 8f dd e7 88 42 61 42 6f 4d e2 f3 2d e6 fd 3f 03 ee ac c9 7b 6f 47 ff 9c 59 20 b5 21 70 85 1c 04 7a a2 0a f2 d1 27 1b ae 7a 64 d5 51 be 19 33 cf f3 46 92 55 0a f4 ff d9 19 fc ce 9a 71 bb 80 59 9f be ea b0 fe a7 bf 00 00 00 ff ff 0d 0a Data Ascii: 153lRn09Zn ^v%&b#Knz!DzO?!P]#PvKqX["mH&!uUB)B~LMg;rq0D'[EUum"ngyl~4Dg'_++I~-\O':84F4(BYVFbD&sDH[soiIw(A[ooBaBoM-?{oGY !pz'zdQ3FUqY
Feb 2, 2023 19:18:18.456871033 CET	25	IN	Data Raw: 61 0d 0a 03 00 1b 65 fe 4f 5f 02 00 00 0d 0a Data Ascii: aeO_
Feb 2, 2023 19:18:18.456895113 CET	25	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49730	35.237.128.253	80	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
Feb 2, 2023 19:18:19.196187019 CET	112	OUT	GET /style.css HTTP/1.1 Host: static.kryptoslogicsinkhole.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/css,/;q=0.1 Referer: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Feb 2, 2023 19:18:19.343478918 CET	114	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Thu, 02 Feb 2023 18:18:19 GMT Content-Type: text/css Content-Length: 11813 Last-Modified: Mon, 02 Jul 2018 02:05:52 GMT Connection: keep-alive ETag: "5b398880-2e25" Accept-Ranges: bytes Data Raw: 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 40 69 6d 70 6f 72 74 20 75 72 6c 28 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 7c 4f 70 65 6e 2b 53 61 6e 73 22 29 3b 68 74 6d 6c 2c 62 6f 64 79 2c 64 69 76 2c 73 70 61 6e 2c 61 70 70 6c 65 74 2c 6f 62 6a 65 63 74 2c 69 66 72 61 6d 65 2c 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 70 2c 62 6c 6f 63 6b 71 75 6f 74 65 2c 70 72 65 2c 61 2c 61 62 62 72 2c 61 63 72 6f 6e 79 6d 2c 61 64 64 72 65 73 73 2c 62 69 67 2c 63 69 74 65 2c 63 6f 64 65 2c 64 65 6c 2c 64 66 6e 2c 65 6d 2c 69 6d 67 2c 69 6e 73 2c 6b 62 64 2c 71 2c 73 2c 73 61 6d 70 2c 73 6d 61 6c 6c 2c 73 74 72 69 6b 65 2c 73 74 72 6f 6e 67 2c 73 75 62 2c 73 75 70 2c 74 74 2c 76 61 72 2c 62 2c 75 2c 69 2c 63 65 6e 74 65 72 2c 64 6c 2c 64 74 2c 64 64 2c 6f 6c 2c 75 6c 2c 6c 69 2c 66 69 65 6c 64 73 65 74 2c 66 6f 72 6d 2c 6c 61 62 65 6c 2c 6c 65 67 65 6e 64 2c 74 61 62 6c 65 2c 63 61 70 74 69 6f 6e 2c 74 62 6f 64 79 2c 74 66 6f 6f 74 2c 74 68 65 61 64 2c 74 72 2c 74 68 2c 74 64 2c 61 72 74 69 63 6c 65 2c 61 73 69 64 65 2c 63 61 6e 76 61 73 2c 64 65 74 61 69 6c 73 2c 65 6d 62 65 64 2c 66 69 67 75 72 65 2c 66 69 67 63 61 70 74 69 6f 6e 2c 66 6f 6f 74 65 72 2c 68 65 61 64 65 72 2c 68 67 72 6f 75 70 2c 6d 65 6e 75 2c 6e 61 76 2c 6f 75 74 70 75 74 2c 72 75 62 79 2c 73 65 63 74 69 6f 6e 2c 73 75 6d 6d 61 72 79 2c 74 69 6d 65 2c 6d 61 72 6b 2c 61 75 64 69 6f 2c 76 69 64 65 6f 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 66 6f 6e 74 3a 69 6e 68 65 72 69 74 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 7d 61 72 74 69 63 6c 65 2c 61 73 69 64 65 2c 64 65 74 61 69 6c 73 2c 66 69 67 63 61 70 74 69 6f 6e 2c 66 69 67 75 72 65 2c 66 6f 6f 74 65 72 2c 68 65 61 64 65 72 2c 68 67 72 6f 75 70 2c 6d 65 6e 75 2c 6e 61 76 2c 73 65 63 74 69 6f 6e 2c 6d 61 69 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 7d 62 6f 64 79 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 7d 6f 6c 2c 75 6c 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 7d 62 6c 6f 63 6b 71 75 6f 74 65 2c 71 7b 71 75 6f 74 65 73 3a 6e 6f 6e 65 3b 7d 62 6c 6f 63 6b 71 75 6f 74 65 3a 62 65 66 6f 72 65 2c 62 6c 6f 63 6b 71 75 6f 74 65 3a 61 66 74 65 72 2c 71 3a 62 65 66 6f 72 65 2c 71 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 27 3b 63 6f 6e 74 65 6e 74 3a 6e 6f 6e 65 3b 7d 74 61 62 6c 65 7b 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 61 63 69 6e 67 3a 30 3b 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 7d 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 46 32 32 32 45 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 61 6e 74 Data Ascii: @charset "UTF-8";@import url("https://fonts.googleapis.com/css?family=Montserrat\|Open+Sans");html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline;}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section,main{display:block;}body{line-height:1;}ol,ul{list-style:none;}blockquote,q{quotes:none;}blockquote:before,blockquote:after,q:before,q:after{content:'';content:none;}table{border-collapse:collapse;border-spacing:0;}html{font-size:62.5%;}body{background:#1F222E;font-family:"Open Sans","Helvetica Neue","Lucida Grande",Arial,Verdana,sans-serif;color:#000000;-webkit-font-smoothing:ant
Feb 2, 2023 19:18:19.343511105 CET	115	IN	Data Raw: 69 61 6c 69 61 73 65 64 3b 2d 6d 6f 7a 2d 6f 73 78 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 67 72 61 79 73 63 61 6c 65 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f Data Ascii: ialiased;-moz-osx-font-smoothing:grayscale;font-weight:normal;font-style:normal;font-size:1.4rem;line-height:1.8;font-weight:400;letter-spacing:0;height:100%;}body.flat{background:#2980b9;};background-size:cover;}body.bubble::after{content:'';
Feb 2, 2023 19:18:19.343539953 CET	116	IN	Data Raw: 69 63 61 20 4e 65 75 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6c 69 6e 65 2d Data Ascii: ica Neue","Lucida Grande",Arial,Verdana,sans-serif;margin:0;font-size:1.5rem;line-height:1.8;color:#d2d6e4;font-weight:400;text-align:center;}p.subtitle{margin-bottom:3rem;}h1,h2,h3,h4,h5,h6{color:#FFFFFF;font-family:Montserrat,"Helvetica Neue
Feb 2, 2023 19:18:19.343576908 CET	118	IN	Data Raw: 6f 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b Data Ascii: o-align-items:center;align-items:center;-ms-flex-align:center;display:-webkit-box;display:-moz-box;display:box;display:-webkit-flex;display:-moz-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-moz-box-pack:center;box-pack:center
Feb 2, 2023 19:18:19.343611956 CET	119	IN	Data Raw: 3a 6e 74 68 2d 63 68 69 6c 64 28 34 29 7b 77 69 64 74 68 3a 31 30 72 65 6d 3b 7d 2e 63 6f 6e 74 65 6e 74 20 2e 63 6f 6e 74 65 6e 74 2d 62 6f 78 20 2e 62 69 67 2d 63 6f 6e 74 65 6e 74 20 73 70 61 6e 2e 6c 69 6e 65 3a 6e 74 68 2d 63 68 69 6c 64 28 Data Ascii: :nth-child(4){width:10rem;}.content .content-box .big-content span.line:nth-child(6){width:10rem;}.content .content-box .big-content .fa-search{position:absolute;top:10rem;left:15rem;font-size:10rem;color:#00c8aa;-webkit-animation:corner 5s in
Feb 2, 2023 19:18:19.343646049 CET	120	IN	Data Raw: 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 28 2d 32 72 65 6d 2c 30 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 28 2d 32 72 65 6d 2c 30 29 3b 2d 77 65 62 6b 69 74 2d 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 Data Ascii: nsform:translate(-2rem,0);transform:translate(-2rem,0);-webkit-animation-timing-function:0,0.02,0,1.01;-moz-animation-timing-function:0,0.02,0,1.01;animation-timing-function:0,0.02,0,1.01;}20%{-webkit-transform:translate(-15rem,2rem);-moz-tran
Feb 2, 2023 19:18:19.343677998 CET	122	IN	Data Raw: 64 74 68 3a 31 30 30 25 3b 7d 66 6f 6f 74 65 72 20 75 6c 20 6c 69 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 66 6f 6f 74 65 72 20 75 6c Data Ascii: dth:100%;}footer ul li{position:relative;display:inline-block;padding:0;}footer ul li::after{content:'';position:absolute;top:0;right:0;width:0.2rem;height:100%;-webkit-border-radius:1rem;-moz-border-radius:1rem;-ms-border-radius:1rem;border-r
Feb 2, 2023 19:18:19.343710899 CET	123	IN	Data Raw: 61 73 65 2d 69 6e 2d 6f 75 74 3b 7d 66 6f 6f 74 65 72 2e 6c 69 67 68 74 20 75 6c 20 6c 69 3a 3a 61 66 74 65 72 7b 77 69 64 74 68 3a 30 2e 31 72 65 6d 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 72 67 62 61 28 31 31 37 2c 31 32 32 2c 31 33 34 2c 30 2e 32 Data Ascii: ase-in-out;}footer.light ul li::after{width:0.1rem;background:rgba(117,122,134,0.2);}footer.light ul li a{color:rgba(255,255,255,0.7);}footer.light ul li a:hover{color:#FFFFFF;}footer.light ul li a::after{background:rgba(255,255,255,0.3);}.mbY
Feb 2, 2023 19:18:19.343741894 CET	124	IN	Data Raw: 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 31 2e 32 29 3b 2d 6d 6f 7a 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 31 2e 32 29 3b 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 31 2e 32 29 3b 2d 6f 2d 74 72 61 6e 73 66 Data Ascii: -transform:scale(1.2);-moz-transform:scale(1.2);-ms-transform:scale(1.2);-o-transform:scale(1.2);transform:scale(1.2);}100%{-webkit-transform:scale(1);-moz-transform:scale(1);-ms-transform:scale(1);-o-transform:scale(1);transform:scale(1);}}.v
Feb 2, 2023 19:18:19.343781948 CET	125	IN	Data Raw: 63 6b 3b 70 61 64 64 69 6e 67 3a 35 72 65 6d 20 30 20 35 72 65 6d 3b 7d 2e 63 6f 6e 74 65 6e 74 20 2e 63 6f 6e 74 65 6e 74 2d 62 6f 78 7b 70 61 64 64 69 6e 67 3a 30 20 31 72 65 6d 3b 7d 2e 63 6f 6e 74 65 6e 74 20 2e 63 6f 6e 74 65 6e 74 2d 62 6f Data Ascii: ck;padding:5rem 0 5rem;}.content .content-box{padding:0 1rem;}.content .content-box .big-content{-webkit-transform:scale(0.8);-moz-transform:scale(0.8);-ms-transform:scale(0.8);-o-transform:scale(0.8);transform:scale(0.8);margin:0 auto;}footer
Feb 2, 2023 19:19:04.348928928 CET	494	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49726	104.16.173.80	80	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
Feb 2, 2023 19:18:20.044822931 CET	441	OUT	GET /favicon.ico HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Feb 2, 2023 19:18:20.079130888 CET	441	IN	HTTP/1.1 200 OK Date: Thu, 02 Feb 2023 18:18:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: cloudflare CF-RAY: 7934edc34886366f-FRA Content-Encoding: gzip Data Raw: 31 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6c 52 c1 6e db 30 0c fd 15 96 e7 39 5a 6e c5 20 e9 b2 f6 b4 01 1b d0 5e 76 94 25 26 62 23 4b 86 c9 c6 f5 df 0f 6e 12 ac 1e 7a 21 44 8a 8f 8f 7a 4f f6 ee e1 d7 f7 e7 3f bf 1f 21 eb 50 bc 5d 23 94 50 8f 0e a9 76 af 82 10 4b 10 71 58 5b f7 22 e8 6d a6 90 bc 1d 48 03 c4 1c 26 21 75 f8 aa 87 ee 1e bd 55 d6 42 fe 89 eb 29 b7 42 09 fa 05 7e 4c cb a8 4d e0 67 3b 72 b4 e6 d2 71 81 d7 30 90 c3 44 12 27 1e 95 5b 45 88 ad 2a 55 75 b8 81 c1 6d 22 6e 90 67 a6 79 6c 93 7e 80 cd 9c 34 bb 44 67 8e d4 bd 27 5f 80 2b 2b 87 d2 49 0c 85 dc 7e f7 15 bd 2d 5c 4f 90 27 3a 38 34 46 34 28 c7 dd e9 42 59 56 46 b9 12 ee 62 1b 8c e8 b2 9e 44 10 26 2a 0e df 73 c9 44 8a a0 cb 48 0e 95 de d4 ac 0d c6 5b 73 11 a8 6f 69 b9 49 77 28 41 d1 db c4 e7 5b e5 ba f0 a7 c5 ae 6f 6f db 8b 9e 8f dd e7 88 42 61 42 6f 4d e2 f3 2d e6 fd 3f 03 ee ac c9 7b 6f 47 ff 9c 59 20 b5 21 70 85 1c 04 7a a2 0a f2 d1 27 1b ae 7a 64 d5 51 be 19 33 cf f3 46 92 55 0a f4 ff d9 19 fc ce 9a 71 bb 80 59 9f be ea b0 fe a7 bf 00 00 00 ff ff 0d 0a Data Ascii: 153lRn09Zn ^v%&b#Knz!DzO?!P]#PvKqX["mH&!uUB)B~LMg;rq0D'[EUum"ngyl~4Dg'_++I~-\O':84F4(BYVFbD&sDH[soiIw(A[ooBaBoM-?{oGY !pz'zdQ3FUqY
Feb 2, 2023 19:18:20.079200983 CET	441	IN	Data Raw: 61 0d 0a 03 00 1b 65 fe 4f 5f 02 00 00 0d 0a Data Ascii: aeO_
Feb 2, 2023 19:18:20.079272985 CET	442	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49731	35.237.128.253	80	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
Feb 2, 2023 19:19:04.202253103 CET	494	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49729	172.217.18.14	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-02-02 18:18:19 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-104.0.5112.102 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-02-02 18:18:19 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-onJY245LtLGNa_uhnOa_FA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Feb 2023 18:18:19 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5876 X-Daystart: 37099 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-02-02 18:18:19 UTC	2	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 38 37 36 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 33 37 30 39 39 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5876" elapsed_seconds="37099"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-02-02 18:18:19 UTC	2	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-02-02 18:18:19 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49725	142.250.181.237	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-02-02 18:18:19 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+620; __Secure-ENID=6.SE=cJKCBuSaL1dV3R8z2Y2al7-m2m5bGA74lqbYYkqC3uy-NtZ1f6n_bCBr25tlnnjvdmLpGQ81ZKzP3Te5vVjpSQjYWCwvlOMApK7tmZNWcORu0p4wniPJGQfTslQNnpQWhG9qkwkEgy49-6UG3UQ1eiUyFolJZWLeUM1p4KvjM9E
2023-02-02 18:18:19 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-02-02 18:18:19 UTC	2	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Feb 2023 18:18:19 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-bprwObUM9OkpuRgYPlq5pw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-02-02 18:18:19 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-02-02 18:18:19 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	19:18:15
Start date:	02/02/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Imagebase:	0x7ff70f0c0000
File size:	2852640 bytes
MD5 hash:	7BC7B4AEDC055BB02BCB52710132E9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	19:18:17
Start date:	02/02/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1772,i,6423684000954109881,8004862400930351413,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff70f0c0000
File size:	2852640 bytes
MD5 hash:	7BC7B4AEDC055BB02BCB52710132E9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	Virustotal: Detection: 10%			Perma Link
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico	Virustotal: Detection: 13%			Perma Link

Source: Traffic	Snort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.3:62191 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.3:49728 -> 104.16.173.80:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.3:49728
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.3:49726 -> 104.16.173.80:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.3:49726

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.102Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /style.css HTTP/1.1Host: static.kryptoslogicsinkhole.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 3524, Parent PID: 1628

General

File Activities

File Opened

File Created

File Deleted

File Moved

File Written

Other File Operations

Volume Information Queried

Section Activities

Sections loaded by Windows

Windows Analysis Report
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com