Edit tour

Windows Analysis Report
https://urlz.fr/rRBY

Overview

General Information

Sample URL:	https://urlz.fr/rRBY
Analysis ID:	1500180
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected suspicious crossdomain redirect

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3656 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1952,i,2442161772945327702,3741709587517037170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://urlz.fr/rRBY" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://urlz.fr/rRBY	Avira URL Cloud: detection malicious, Label: phishing
Source: https://urlz.fr/rRBY	SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.5:61742 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:53373 -> 1.1.1.1:53

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: urlz.fr to https://rondgeusbe-f69b39.ingress-erytho.ewp.live/wp-content/plugins/esidem/pages/region.php

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /rRBY HTTP/1.1Host: urlz.frConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/esidem/pages/region.php HTTP/1.1Host: rondgeusbe-f69b39.ingress-erytho.ewp.liveConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: urlz.fr
Source: global traffic	DNS traffic detected: DNS query: rondgeusbe-f69b39.ingress-erytho.ewp.live
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Tue, 27 Aug 2024 22:47:25 GMTtransfer-encoding: chunkedconnection: close

Source: sets.json.0.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.0.dr	String found in binary or memory: https://24.hu
Source: sets.json.0.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.0.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.0.dr	String found in binary or memory: https://alice.tw
Source: sets.json.0.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.0.dr	String found in binary or memory: https://autobild.de
Source: sets.json.0.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.0.dr	String found in binary or memory: https://bild.de
Source: sets.json.0.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.0.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.0.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.0.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.0.dr	String found in binary or memory: https://bonvivir.com
Source: chromecache_129.2.dr	String found in binary or memory: https://browsehappy.com/
Source: sets.json.0.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.0.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.0.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.0.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.0.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.0.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.0.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.0.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.0.dr	String found in binary or memory: https://chennien.com
Source: sets.json.0.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.0.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.0.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.0.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.0.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.0.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.0.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.0.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.0.dr	String found in binary or memory: https://css-load.com
Source: sets.json.0.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.0.dr	String found in binary or memory: https://deere.com
Source: sets.json.0.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.0.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.0.dr	String found in binary or memory: https://drimer.io
Source: sets.json.0.dr	String found in binary or memory: https://drimer.travel
Source: sets.json.0.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.0.dr	String found in binary or memory: https://een.be
Source: sets.json.0.dr	String found in binary or memory: https://efront.com
Source: sets.json.0.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.0.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.0.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.0.dr	String found in binary or memory: https://ella.sv
Source: sets.json.0.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.0.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.0.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.0.dr	String found in binary or memory: https://finn.no
Source: sets.json.0.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.0.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.0.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.0.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.0.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://grid.id
Source: sets.json.0.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.0.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.0.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.0.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://hapara.com
Source: sets.json.0.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.global
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.0.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.0.dr	String found in binary or memory: https://hearty.app
Source: sets.json.0.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.0.dr	String found in binary or memory: https://hearty.me
Source: sets.json.0.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.0.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.0.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.0.dr	String found in binary or memory: https://hj.rs
Source: sets.json.0.dr	String found in binary or memory: https://hjck.com
Source: sets.json.0.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.0.dr	String found in binary or memory: https://html-load.com
Source: sets.json.0.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.0.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.0.dr	String found in binary or memory: https://img-load.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.0.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.0.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.0.dr	String found in binary or memory: https://interia.pl
Source: sets.json.0.dr	String found in binary or memory: https://intoday.in
Source: sets.json.0.dr	String found in binary or memory: https://iolam.it
Source: sets.json.0.dr	String found in binary or memory: https://ishares.com
Source: sets.json.0.dr	String found in binary or memory: https://jagran.com
Source: sets.json.0.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.0.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.0.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.0.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.0.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.0.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.0.dr	String found in binary or memory: https://libero.it
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.0.dr	String found in binary or memory: https://livechat.com
Source: sets.json.0.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.0.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.0.dr	String found in binary or memory: https://livemint.com
Source: sets.json.0.dr	String found in binary or memory: https://max.auto
Source: sets.json.0.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.0.dr	String found in binary or memory: https://meo.pt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.0.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.0.dr	String found in binary or memory: https://money.pl
Source: sets.json.0.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.0.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://nacion.com
Source: sets.json.0.dr	String found in binary or memory: https://naukri.com
Source: sets.json.0.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.co
Source: sets.json.0.dr	String found in binary or memory: https://nien.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.org
Source: sets.json.0.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.0.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.0.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.0.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.0.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.0.dr	String found in binary or memory: https://o2.pl
Source: sets.json.0.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.0.dr	String found in binary or memory: https://onet.pl
Source: sets.json.0.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.0.dr	String found in binary or memory: https://p106.net
Source: sets.json.0.dr	String found in binary or memory: https://p24.hu
Source: sets.json.0.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.0.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.0.dr	String found in binary or memory: https://player.pl
Source: sets.json.0.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.0.dr	String found in binary or memory: https://poalim.site
Source: sets.json.0.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.0.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.0.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.0.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.0.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.0.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://radio1.be
Source: sets.json.0.dr	String found in binary or memory: https://radio2.be
Source: sets.json.0.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://repid.org
Source: sets.json.0.dr	String found in binary or memory: https://reshim.org
Source: sets.json.0.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.0.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.0.dr	String found in binary or memory: https://samayam.com
Source: sets.json.0.dr	String found in binary or memory: https://sapo.io
Source: sets.json.0.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.0.dr	String found in binary or memory: https://shock.co
Source: sets.json.0.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.0.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.0.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.0.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.0.dr	String found in binary or memory: https://songshare.com
Source: sets.json.0.dr	String found in binary or memory: https://songstats.com
Source: sets.json.0.dr	String found in binary or memory: https://sporza.be
Source: sets.json.0.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.0.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.0.dr	String found in binary or memory: https://stripe.com
Source: sets.json.0.dr	String found in binary or memory: https://stripe.network
Source: sets.json.0.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.0.dr	String found in binary or memory: https://supereva.it
Source: sets.json.0.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.0.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.0.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.0.dr	String found in binary or memory: https://text.com
Source: sets.json.0.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://the42.ie
Source: sets.json.0.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.0.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.0.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.0.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.0.dr	String found in binary or memory: https://top.pl
Source: sets.json.0.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.0.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://tvid.in
Source: sets.json.0.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.0.dr	String found in binary or memory: https://unotv.com
Source: sets.json.0.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.0.dr	String found in binary or memory: https://vrt.be
Source: sets.json.0.dr	String found in binary or memory: https://vwo.com
Source: sets.json.0.dr	String found in binary or memory: https://welt.de
Source: sets.json.0.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.0.dr	String found in binary or memory: https://wildix.com
Source: sets.json.0.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.0.dr	String found in binary or memory: https://wingify.com
Source: sets.json.0.dr	String found in binary or memory: https://wordle.at
Source: sets.json.0.dr	String found in binary or memory: https://wp.pl
Source: sets.json.0.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.0.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.0.dr	String found in binary or memory: https://ya.ru
Source: sets.json.0.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://zalo.me
Source: sets.json.0.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://zingmp3.vn

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 61745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\manifest.fingerprint	Jump to behavior

Source: classification engine

Classification label: mal48.win@23/13@6/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1952,i,2442161772945327702,3741709587517037170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://urlz.fr/rRBY"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1952,i,2442161772945327702,3741709587517037170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://urlz.fr/rRBY	100%	Avira URL Cloud	phishing
https://urlz.fr/rRBY	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://wieistmeineip.de	0%	URL Reputation	safe
https://gliadomain.com	0%	URL Reputation	safe
https://nourishingpursuits.com	0%	URL Reputation	safe
https://johndeere.com	0%	URL Reputation	safe
https://songstats.com	0%	URL Reputation	safe
https://p106.net	0%	URL Reputation	safe
https://mystudentdashboard.com	0%	URL Reputation	safe
https://songshare.com	0%	URL Reputation	safe
https://smaker.pl	0%	URL Reputation	safe
https://p24.hu	0%	URL Reputation	safe
https://cardsayings.net	0%	URL Reputation	safe
https://text.com	0%	URL Reputation	safe
https://hazipatika.com	0%	URL Reputation	safe
https://cognitiveai.ru	0%	URL Reputation	safe
https://drimer.travel	0%	URL Reputation	safe
https://deccoria.pl	0%	URL Reputation	safe
https://salemovetravel.com	0%	URL Reputation	safe
https://welt.de	0%	URL Reputation	safe
https://drimer.io	0%	URL Reputation	safe
https://infoedgeindia.com	0%	URL Reputation	safe
https://cognitive-ai.ru	0%	URL Reputation	safe
https://cafemedia.com	0%	URL Reputation	safe
https://graziadaily.co.uk	0%	URL Reputation	safe
https://thirdspace.org.au	0%	URL Reputation	safe
https://smpn106jkt.sch.id	0%	URL Reputation	safe
https://landyrev.com	0%	URL Reputation	safe
https://the42.ie	0%	URL Reputation	safe
https://helpdesk.com	0%	URL Reputation	safe
https://salemovefinancial.com	0%	URL Reputation	safe
https://indiatodayne.in	0%	URL Reputation	safe
https://motherandbaby.com	0%	URL Reputation	safe
https://unotv.com	0%	Avira URL Cloud	safe
https://poalim.xyz	0%	Avira URL Cloud	safe
https://baomoi.com	0%	Avira URL Cloud	safe
https://medonet.pl	0%	Avira URL Cloud	safe
https://mercadolivre.com	0%	Avira URL Cloud	safe
https://mercadoshops.com.co	0%	Avira URL Cloud	safe
https://zdrowietvn.pl	0%	Avira URL Cloud	safe
https://joyreactor.cc	0%	Avira URL Cloud	safe
https://mercadoshops.com.br	0%	Avira URL Cloud	safe
https://reshim.org	0%	Avira URL Cloud	safe
https://bolasport.com	0%	Avira URL Cloud	safe
https://rws1nvtvt.com	0%	Avira URL Cloud	safe
https://hearty.gift	0%	Avira URL Cloud	safe
https://elfinancierocr.com	0%	Avira URL Cloud	safe
https://supereva.it	0%	Avira URL Cloud	safe
https://desimartini.com	0%	Avira URL Cloud	safe
https://nlc.hu	0%	Avira URL Cloud	safe
https://heartymail.com	0%	Avira URL Cloud	safe
https://mercadoshops.com	0%	Avira URL Cloud	safe
https://hearty.app	0%	Avira URL Cloud	safe
https://radio2.be	0%	Avira URL Cloud	safe
https://finn.no	0%	Avira URL Cloud	safe
https://kompas.tv	0%	Avira URL Cloud	safe
https://talkdeskqaid.com	0%	Avira URL Cloud	safe
https://hc1.com	0%	Avira URL Cloud	safe
https://mercadopago.com.mx	0%	Avira URL Cloud	safe
https://mightytext.net	0%	Avira URL Cloud	safe
https://24.hu	0%	Avira URL Cloud	safe
https://browsehappy.com/	0%	Avira URL Cloud	safe
https://mercadopago.com.pe	0%	Avira URL Cloud	safe
https://pudelek.pl	0%	Avira URL Cloud	safe
https://wildixin.com	0%	Avira URL Cloud	safe
https://cookreactor.com	0%	Avira URL Cloud	safe
https://nacion.com	0%	Avira URL Cloud	safe
https://eworkbookcloud.com	0%	Avira URL Cloud	safe
https://joyreactor.com	0%	Avira URL Cloud	safe
https://chennien.com	0%	Avira URL Cloud	safe
https://talkdeskstgid.com	0%	Avira URL Cloud	safe
https://naukri.com	0%	Avira URL Cloud	safe
https://mercadopago.cl	0%	Avira URL Cloud	safe
https://interia.pl	0%	Avira URL Cloud	safe
https://poalim.site	0%	Avira URL Cloud	safe
https://sapo.io	0%	Avira URL Cloud	safe
https://wpext.pl	0%	Avira URL Cloud	safe
https://mercadoshops.com.ar	0%	Avira URL Cloud	safe
https://bonvivir.com	0%	Avira URL Cloud	safe
https://carcostadvisor.be	0%	Avira URL Cloud	safe
https://blackrockadvisorelite.it	0%	Avira URL Cloud	safe
https://commentcamarche.com	0%	Avira URL Cloud	safe
https://elpais.uy	0%	Avira URL Cloud	safe
https://tucarro.com.ve	0%	Avira URL Cloud	safe
https://eleconomista.net	0%	Avira URL Cloud	safe
https://mercadolivre.com.br	0%	Avira URL Cloud	safe
https://rws3nvtvt.com	0%	Avira URL Cloud	safe
https://07c225f3.online	0%	Avira URL Cloud	safe
https://clmbtech.com	0%	Avira URL Cloud	safe
https://etfacademy.it	0%	Avira URL Cloud	safe
https://commentcamarche.net	0%	Avira URL Cloud	safe
https://standardsandpraiserepurpose.com	0%	Avira URL Cloud	safe
https://mercadopago.com.br	0%	Avira URL Cloud	safe
https://hearty.me	0%	Avira URL Cloud	safe
https://mercadolibre.com.gt	0%	Avira URL Cloud	safe
https://mighty-app.appspot.com	0%	Avira URL Cloud	safe
https://hj.rs	0%	Avira URL Cloud	safe
https://timesinternet.in	0%	Avira URL Cloud	safe
https://idbs-eworkbook.com	0%	Avira URL Cloud	safe
https://idbs-staging.com	0%	Avira URL Cloud	safe
https://blackrock.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
urlz.fr	104.21.234.214	true	false	unknown
www.google.com	142.250.185.164	true	false	unknown
rondgeusbe-f69b39.ingress-erytho.ewp.live	63.250.43.133	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://rondgeusbe-f69b39.ingress-erytho.ewp.live/wp-content/plugins/esidem/pages/region.php	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wieistmeineip.de	sets.json.0.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com.co	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://gliadomain.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://poalim.xyz	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolivre.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://reshim.org	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://nourishingpursuits.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://medonet.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://unotv.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.br	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://joyreactor.cc	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://zdrowietvn.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://johndeere.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://songstats.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://baomoi.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://supereva.it	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://elfinancierocr.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://bolasport.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://rws1nvtvt.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://desimartini.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hearty.app	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hearty.gift	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://heartymail.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://nlc.hu	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://p106.net	sets.json.0.dr	false	URL Reputation: safe	unknown
https://radio2.be	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://finn.no	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hc1.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://kompas.tv	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mystudentdashboard.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://songshare.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://smaker.pl	sets.json.0.dr	false	URL Reputation: safe	unknown
https://mercadopago.com.mx	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://p24.hu	sets.json.0.dr	false	URL Reputation: safe	unknown
https://talkdeskqaid.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://24.hu	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.pe	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cardsayings.net	sets.json.0.dr	false	URL Reputation: safe	unknown
https://text.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://browsehappy.com/	chromecache_129.2.dr	false	Avira URL Cloud: safe	unknown
https://mightytext.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://pudelek.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hazipatika.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://joyreactor.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cookreactor.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://wildixin.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://eworkbookcloud.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cognitiveai.ru	sets.json.0.dr	false	URL Reputation: safe	unknown
https://nacion.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://chennien.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://drimer.travel	sets.json.0.dr	false	URL Reputation: safe	unknown
https://deccoria.pl	sets.json.0.dr	false	URL Reputation: safe	unknown
https://mercadopago.cl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://talkdeskstgid.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://naukri.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://interia.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://bonvivir.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://carcostadvisor.be	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://salemovetravel.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://sapo.io	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://wpext.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://welt.de	sets.json.0.dr	false	URL Reputation: safe	unknown
https://poalim.site	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://drimer.io	sets.json.0.dr	false	URL Reputation: safe	unknown
https://infoedgeindia.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://blackrockadvisorelite.it	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cognitive-ai.ru	sets.json.0.dr	false	URL Reputation: safe	unknown
https://cafemedia.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://graziadaily.co.uk	sets.json.0.dr	false	URL Reputation: safe	unknown
https://thirdspace.org.au	sets.json.0.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com.ar	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://smpn106jkt.sch.id	sets.json.0.dr	false	URL Reputation: safe	unknown
https://elpais.uy	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://landyrev.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://the42.ie	sets.json.0.dr	false	URL Reputation: safe	unknown
https://commentcamarche.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://tucarro.com.ve	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://rws3nvtvt.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://eleconomista.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://helpdesk.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://mercadolivre.com.br	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://clmbtech.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://standardsandpraiserepurpose.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://07c225f3.online	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://salemovefinancial.com	sets.json.0.dr	false	URL Reputation: safe	unknown
https://mercadopago.com.br	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://commentcamarche.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://etfacademy.it	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mighty-app.appspot.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hj.rs	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hearty.me	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.gt	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://timesinternet.in	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://indiatodayne.in	sets.json.0.dr	false	URL Reputation: safe	unknown
https://idbs-staging.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://blackrock.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://idbs-eworkbook.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://motherandbaby.com	sets.json.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
63.250.43.133	rondgeusbe-f69b39.ingress-erytho.ewp.live	United States	22612	NAMECHEAP-NETUS	false
104.21.234.214	urlz.fr	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500180
Start date and time:	2024-08-28 00:46:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://urlz.fr/rRBY
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@23/13@6/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 142.250.185.142, 142.250.110.84, 34.104.35.123, 13.85.23.86, 93.184.221.240, 192.229.221.95, 13.85.23.206, 20.3.187.198, 13.95.31.18, 131.107.255.255, 216.58.212.131
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu.azureedge.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://urlz.fr/rRBY

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 21:47:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.984763410954654
Encrypted:	false
SSDEEP:	48:8H65dgTEQQHAidAKZdA19ehwiZUklqehgy+3:8H6UvD3y
MD5:	4D739912734B6D1DDC04784C4B414714
SHA1:	8B2DC86A44319CB92FF5F0301952541DADC439D0
SHA-256:	87DCCD90D1B02F1C87B6411F7EA180BBDB4DBA0B7EA675EA5D698C267B56B8E0
SHA-512:	FA3B30B5500CA64512AB5D004B2B6C46DFFE6EAD8D9DD3270F7DCEF00B6B05CCFBE71398A8B8B42C2CE083F0874A759DBF8C8C32590C6455AE6C03237D499EA4
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............U......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 21:47:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.00116389587879
Encrypted:	false
SSDEEP:	48:815dgTEQQHAidAKZdA1weh/iZUkAQkqehny+2:81Uvx9QKy
MD5:	692644865EE19C179E8E3D2C3C7EAE32
SHA1:	6A18C467635ED713F2A97CE591A4C8A508234412
SHA-256:	07823DF0107394D97FAC52CE886C0156BCEFE6F53D8946CA7C4B83604A893A39
SHA-512:	F09F22ABB7D0E64546E2D3B615CC9260BA572CF0DA669BE5D8704A50F0E9CF13F09F0E47F9E4A94D6F6BF9E393CBAF0EB9407EFA9EC359610F3F55F21371F741
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............U......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.010554056787418
Encrypted:	false
SSDEEP:	48:8x/5dgTEQsHAidAKZdA14tseh7sFiZUkmgqeh7sBy+BX:8x/Uv1nzy
MD5:	CCFAFCB099A3C7569553D20A7427A884
SHA1:	A14064FCD3C29ADDC5800DCBA44E92FC2D209D04
SHA-256:	CE2784E5DCCC6DD5E325593DB3AF8A1389DEEA6A39DF5B2BCF710F268C986758
SHA-512:	A6AF21FF64FB41BFBE155C4C7C751749EDBE002C6D419B3B32A1B73EE571CAE5879DC982E76D885A0AAB431395CD24DBE4043E60AAF5AEE2BDC36756FB7F3586
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............U......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 21:47:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.000735239035045
Encrypted:	false
SSDEEP:	48:8E5dgTEQQHAidAKZdA1vehDiZUkwqehby+R:8EUvypy
MD5:	9747005E195B7B6019EC447C9B5654D9
SHA1:	7179D0C57C2B5B59AA60FD04AD68B9A03DC7C5F5
SHA-256:	631A9EB01917EDFA017B50DD4EB90D61D6156B06CD2B6D9CCE6FE0157D73C5CA
SHA-512:	2086D050F268147A94C71A93B75A3929598D2411218A4F3F4A924C1AD4F4B87D2C98B4B5D6C4557CC36EC5E1893EEF64472E1EE37743F2138C6690B4B8E5CAF6
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....w.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............U......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 21:47:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.988521916057588
Encrypted:	false
SSDEEP:	48:8C5dgTEQQHAidAKZdA1hehBiZUk1W1qehty+C:8CUvC9Ny
MD5:	402A46E2DE9215699C34A76A7ACCF2D1
SHA1:	E51B323384FB2B255A8687ECE8407E109CFAF63B
SHA-256:	79A58EC786BAB7FA80312346C9BDF83C809487691F48421352870DEC4AB52238
SHA-512:	E1B9CDE5902E15697B11E65DCF997B932D95659A80728E5C24AFBC77643BE8EBE7FFE9672480AB2C892E16518B5B24DEA79DE4B181F2733DFD99F8BB6434359A
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............U......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 21:47:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9975104059843667
Encrypted:	false
SSDEEP:	48:8h5dgTEQQHAidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbzy+yT+:8hUv8T/TbxWOvTbzy7T
MD5:	6D0F252E63C549BB150F0B382EE21829
SHA1:	9874C9257CFE5B0DF756A534846CE174BA409B3A
SHA-256:	34E4D08EC9E57F8CCA5BA0B7C592A14D329FECF7AE0F80B85400508723EDDD5E
SHA-512:	5AC225E20BD4CDFF24794A5E6B97EF835F7F04918EA38016E876B1B25FB569A3EC295C4F2C636EDC6397E0CEE6C49E2E7F55FB89CEECB31831FE7AB6AD934B07
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....p.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............U......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Reputation:	low
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.021127689065198
Encrypted:	false
SSDEEP:	48:p/hUI1atAdI567akUmYWEFw/3+ovGJ4F3jkZUbvzk98g5m7:RnYQI47avYUwvVGJ41jkZIzxgA7
MD5:	68E6B5733E04AB7BF19699A84D8ABBC2
SHA1:	1C11F06CA1AD3ED8116D356AB9164FD1D52B5CF0
SHA-256:	F095F969D6711F53F97747371C83D5D634EAEF21C54CB1A6A1CC5B816D633709
SHA-512:	9DC5D824A55C969820D5D1FBB0CA7773361F044AE0C255E7C48D994E16CE169FCEAC3DE180A3A544EBEF32337EA535683115584D592370E5FE7D85C68B86C891
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiIyNXB3SWdtQWU2QTVoeDVVTG9OV0laODBLbzJjbktOTHpacUdjbjlLT2c4In0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiOWVza0FuRlBsM3VCQzkwUmFWakxNaVI3NXZIQi0wQUVmMmg0RzU3ZXNpcyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC44LjEwLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"dU2MmRUQSugaJAJvEN4uaQHx-KXdOkjj0yK8_aH4Afr3kN7DPOZRt6yLTS3UchBE5M-dgPPPBuKADj4KEK4B22SO6WQquL5J27AUPqQBGgr44-iFGVJdOLLlfirFlJmcYv6DUFRYiPsQFGMr1JFqInj19jgkOxzR6qqcNuTCB0wGEMeTU80r-igCjeQG6TIzPro7yKd_-UxsxO6OGAySmlIJIoU54X0p0ATNoZyAfkhb8kb0oN8unOU

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9159446964030753
Encrypted:	false
SSDEEP:	3:Sq5TQRaELVHecsUDBAeHD5k:Sq5gJ+csHej5k
MD5:	CFB54589424206D0AE6437B5673F498D
SHA1:	D1EF6314F0F68EFDD0BA8F6CA9E59BFF863B1609
SHA-256:	285AC183C35350B4B77332172413902F83726CA8F53D63859B5DA082FD425A1C
SHA-512:	70FDCA4A1E6B7A5FFED3414E2DB74FECA7E0FD17482B8CB30393DFEE20AB9AD2B0B00FF0C590DD0E8D744D0EAD876CE8844519AF66618ED14666BCA56DF2DA21
Malicious:	false
Reputation:	low
Preview:	1.dbf288588465463a914bdfc5e86d465fb3592b2f1261dc0e40fcc5c1adc8e7e4

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.4533115571544695
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1tean:F6VlM8aRWpqS1ln
MD5:	C3419069A1C30140B77045ABA38F12CF
SHA1:	11920F0C1E55CADC7D2893D1EEBB268B3459762A
SHA-256:	DB9A702209807BA039871E542E8356219F342A8D9C9CA34BCD9A86727F4A3A0F
SHA-512:	C5E95A4E9F5919CB14F4127539C4353A55C5F68062BF6F95E1843B6690CEBED3C93170BADB2412B7FB9F109A620385B0AE74783227D6813F26FF8C29074758A1
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.8.10.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9748
Entropy (8bit):	4.629326694042306
Encrypted:	false
SSDEEP:	96:Mon4mvC4qX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJq:v5C4ql7BkIVmtRTGXvcxBsq
MD5:	EEA4913A6625BEB838B3E4E79999B627
SHA1:	1B4966850F1B117041407413B70BFA925FD83703
SHA-256:	20EF4DE871ECE3C5F14867C4AE8465999C7A2CC1633525E752320E61F78A373C
SHA-512:	31B1429A5FACD6787F6BB45216A4AB1C724C79438C18EBFA8C19CED83149C17783FD492A03197110A75AAF38486A9F58828CA30B58D41E0FE89DFE8BDFC8A004
Malicious:	false
Reputation:	low
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://drimer.io","asso

Chrome Cache Entry: 129

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (57435)
Category:	downloaded
Size (bytes):	310783
Entropy (8bit):	6.02048874626992
Encrypted:	false
SSDEEP:	6144:EzPHHHlDtsRLfIw/onJwg0aDlgF0Q0psEhaXNWdXg/:ulDtELJAnJwOOF0Q0+Ehzo
MD5:	A8C81793830CB83ECCA24A6B48BA539F
SHA1:	E081AE638BAB76567B410D7C04BB3A8AB55D76B7
SHA-256:	095D02A44D29EEC459435F1BB50C0E7D4085301C77E364C8FA7029F417918676
SHA-512:	9A0FD4B82448277CDF7D6C91F917D4C5D31D340C724AC80A449F62C465F231CCC200DCF806C2C6FE0633E69408756CFCAACA2F630F987F00380531E19ED3CFEE
Malicious:	false
Reputation:	low
URL:	https://rondgeusbe-f69b39.ingress-erytho.ewp.live/wp-content/plugins/esidem/pages/region.php
Preview:	<!doctype html>.<html class="no-js" lang="">..<head>. <meta charset="utf-8">. <meta http-equiv="x-ua-compatible" content="ie=edge">. <title>Website not found.</title>. <meta name="description" content="">. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">.. <link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAAXNSR0IArs4c6QAACHhJREFUeAHdW2lsHEUWrqqZsT3j2FmbHBxBXsyGsAsCCRIRgjicA2JHRAtEQtHCj2i1ihASgnCEOFnEj9jhNAgpIC7xA6RoEYeIiB0WEgdLiYSSrATi2JBsIBAMPmIndjzjeDxV+73xtNUz7unpqukZj+gfrup6r973va+rq2q625wV+Ljw0KuRod5Ti5RSSxRnixRjczhjNYCtUUxRyTjjgygGYRuErZcrdpBzfqB6znkHuxeuj5JPoQ7g+X9ce+jV0H/7BtZIJe9nTF3HFAsaoXA2Dnm+EFxsv3x27XuHF66PG8Vx6eSrAH/sfKuiL9r9EK7k/bi6F7ngapswSn4B2e0X8Kq2Y00PnNMOkKWDbwJUdTy9ICHj/0LyV2fB8qUZhL8MiNDdw40bj/gRUPgRpLJ929/G1fjhQidPXAmDsAjTD+55j4BIR+tqJeWHIOOLmBpJSS7EHdHG5p0afaa45iVAZUfLVVKp/bgsM6ZELkYDZ2cF5zeMNG7+yhTO+KrNO9AWllLtnLbkKWMITxyIS9EFOHU6uh6gdabAPvarS3E

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 00:47:16.093067884 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:16.202466011 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:16.202466011 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:23.398927927 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.398976088 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.399055004 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.399246931 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.399259090 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.399439096 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.399455070 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.399466038 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.399665117 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.399674892 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.944520950 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.945048094 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.945874929 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.945898056 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.946441889 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.946451902 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.946815968 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.946881056 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.947295904 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.947364092 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.959146976 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.959208012 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.959383965 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.959439039 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:23.959594965 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:23.959604979 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:24.005099058 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:24.005099058 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:24.005105972 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:24.050734997 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:24.295113087 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:24.295165062 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:24.295229912 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:24.297278881 CEST	49709	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:24.297290087 CEST	443	49709	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:24.311646938 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:24.311666012 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:24.311738968 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:24.312052011 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:24.312062025 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:24.915510893 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:24.920758963 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:24.920773029 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:24.921662092 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:24.921722889 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.314604998 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.314682007 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.315216064 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.315224886 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.355602026 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.489130974 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.489145994 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.489217997 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.489227057 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.489272118 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.576766014 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.576773882 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.576824903 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.576847076 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.576853991 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.576898098 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.578116894 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.578134060 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.578193903 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.578200102 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.578241110 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.649175882 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.649190903 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.649257898 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.649266005 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.649307966 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.665229082 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.665245056 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.665307045 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.665314913 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.665357113 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.667659998 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.667675972 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.667726994 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.667732954 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.667769909 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.699798107 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:25.720931053 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.720948935 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.721007109 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.721014023 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.721050978 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.736844063 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.736901045 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.736972094 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.736972094 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.736979961 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.752193928 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.752207994 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.752264977 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.752271891 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.752305031 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.754928112 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.754949093 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.754992962 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.754997969 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.755043983 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.756700039 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.756716013 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.756779909 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.756786108 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.761059999 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.761074066 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.761135101 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.761142015 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.808196068 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.808209896 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.808284998 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.808294058 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.808923006 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.808938026 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.809004068 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:25.809024096 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.809030056 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.809058905 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:25.824409008 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.824424028 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.824476004 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.824486971 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.824513912 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.839915037 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.839927912 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.839988947 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.839994907 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.840363026 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.840375900 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.840416908 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.840421915 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.840452909 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.841365099 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.841378927 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.841428995 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.841438055 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.841470003 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.842114925 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.842128038 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.842186928 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.842191935 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.843076944 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.843090057 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.843137026 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.843141079 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.843170881 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.843178988 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:25.843221903 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.843477964 CEST	49713	443	192.168.2.5	63.250.43.133
Aug 28, 2024 00:47:25.843486071 CEST	443	49713	63.250.43.133	192.168.2.5
Aug 28, 2024 00:47:26.202583075 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.202615023 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.202682018 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.203296900 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.203310013 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.431068897 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:26.431143045 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:26.431337118 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:26.437252998 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:26.437283039 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:26.870518923 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.871043921 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.871058941 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.872031927 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.872111082 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.874237061 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.874290943 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.930114985 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:26.930121899 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:26.976982117 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:27.083040953 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.083125114 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.139141083 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.139187098 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.139488935 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.180110931 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.275437117 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.320499897 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.455737114 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:27.455837011 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:27.470287085 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.470360994 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.470422029 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.475791931 CEST	49715	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.475819111 CEST	443	49715	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.821007967 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.821052074 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:27.821139097 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.821731091 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:27.821748018 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.464910030 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.464970112 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:28.467542887 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:28.467550993 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.467804909 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.469387054 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:28.512506962 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.742616892 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.742672920 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:28.742732048 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:28.744635105 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 28, 2024 00:47:28.744651079 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 28, 2024 00:47:36.775437117 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:36.775609970 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:36.775676966 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:37.842813969 CEST	49714	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:47:37.842833042 CEST	443	49714	142.250.185.164	192.168.2.5
Aug 28, 2024 00:47:38.721626043 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:38.721961021 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:38.723232031 CEST	49724	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:38.723263979 CEST	443	49724	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:38.723325014 CEST	49724	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:38.723855019 CEST	49724	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:38.723866940 CEST	443	49724	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:38.726496935 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:38.726690054 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:38.769171953 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:38.769243002 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:38.769294024 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:39.336618900 CEST	443	49724	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:39.336709023 CEST	49724	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:47:39.838542938 CEST	49710	443	192.168.2.5	104.21.234.214
Aug 28, 2024 00:47:39.838565111 CEST	443	49710	104.21.234.214	192.168.2.5
Aug 28, 2024 00:47:40.456507921 CEST	53373	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:40.461364985 CEST	53	53373	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:40.461488962 CEST	53373	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:40.461488962 CEST	53373	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:40.468710899 CEST	53	53373	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:40.924057007 CEST	53	53373	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:40.926338911 CEST	53373	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:40.931534052 CEST	53	53373	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:40.931776047 CEST	53373	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:58.520397902 CEST	443	49724	23.1.237.91	192.168.2.5
Aug 28, 2024 00:47:58.520473003 CEST	49724	443	192.168.2.5	23.1.237.91
Aug 28, 2024 00:48:24.237054110 CEST	61742	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:48:24.243920088 CEST	53	61742	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:24.244059086 CEST	61742	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:48:24.244106054 CEST	61742	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:48:24.251072884 CEST	53	61742	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:24.690794945 CEST	53	61742	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:24.692192078 CEST	61742	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:48:24.698659897 CEST	53	61742	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:24.698708057 CEST	61742	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:48:26.188954115 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:26.188992023 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:26.189155102 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:26.189686060 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:26.189698935 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:26.822732925 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:26.826483011 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:26.826493979 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:26.826829910 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:26.828088045 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:26.828152895 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:26.868127108 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:36.727163076 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:36.727243900 CEST	443	61745	142.250.185.164	192.168.2.5
Aug 28, 2024 00:48:36.727376938 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:37.838099003 CEST	61745	443	192.168.2.5	142.250.185.164
Aug 28, 2024 00:48:37.838128090 CEST	443	61745	142.250.185.164	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 00:47:21.458146095 CEST	53	62893	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:21.524338961 CEST	53	62221	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:22.790047884 CEST	53	49996	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:23.375133038 CEST	63807	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:23.375287056 CEST	62147	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:23.387582064 CEST	53	63807	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:23.397108078 CEST	53	62147	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:24.300414085 CEST	51117	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:24.300710917 CEST	63818	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:24.310086012 CEST	53	51117	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:24.311153889 CEST	53	63818	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:26.189145088 CEST	63249	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:26.191368103 CEST	53416	53	192.168.2.5	1.1.1.1
Aug 28, 2024 00:47:26.196775913 CEST	53	63249	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:26.199078083 CEST	53	53416	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:39.845355034 CEST	53	59083	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:40.452917099 CEST	53	52042	1.1.1.1	192.168.2.5
Aug 28, 2024 00:47:58.945468903 CEST	53	52670	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:21.227344990 CEST	53	54078	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:21.642754078 CEST	53	65419	1.1.1.1	192.168.2.5
Aug 28, 2024 00:48:24.236627102 CEST	53	50796	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 28, 2024 00:47:23.375133038 CEST	192.168.2.5	1.1.1.1	0x6e5	Standard query (0)	urlz.fr	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:23.375287056 CEST	192.168.2.5	1.1.1.1	0xf752	Standard query (0)	urlz.fr	65	IN (0x0001)	false
Aug 28, 2024 00:47:24.300414085 CEST	192.168.2.5	1.1.1.1	0x1c0a	Standard query (0)	rondgeusbe-f69b39.ingress-erytho.ewp.live	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:24.300710917 CEST	192.168.2.5	1.1.1.1	0xe7f0	Standard query (0)	rondgeusbe-f69b39.ingress-erytho.ewp.live	65	IN (0x0001)	false
Aug 28, 2024 00:47:26.189145088 CEST	192.168.2.5	1.1.1.1	0x9017	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:26.191368103 CEST	192.168.2.5	1.1.1.1	0xd0ff	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 00:47:23.387582064 CEST	1.1.1.1	192.168.2.5	0x6e5	No error (0)	urlz.fr		104.21.234.214	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:23.387582064 CEST	1.1.1.1	192.168.2.5	0x6e5	No error (0)	urlz.fr		104.21.234.215	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:23.397108078 CEST	1.1.1.1	192.168.2.5	0xf752	No error (0)	urlz.fr			65	IN (0x0001)	false
Aug 28, 2024 00:47:24.310086012 CEST	1.1.1.1	192.168.2.5	0x1c0a	No error (0)	rondgeusbe-f69b39.ingress-erytho.ewp.live		63.250.43.133	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:24.310086012 CEST	1.1.1.1	192.168.2.5	0x1c0a	No error (0)	rondgeusbe-f69b39.ingress-erytho.ewp.live		63.250.43.132	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:26.196775913 CEST	1.1.1.1	192.168.2.5	0x9017	No error (0)	www.google.com		142.250.185.164	A (IP address)	IN (0x0001)	false
Aug 28, 2024 00:47:26.199078083 CEST	1.1.1.1	192.168.2.5	0xd0ff	No error (0)	www.google.com			65	IN (0x0001)	false
Aug 28, 2024 00:47:37.873698950 CEST	1.1.1.1	192.168.2.5	0xb5fc	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 00:47:37.873698950 CEST	1.1.1.1	192.168.2.5	0xb5fc	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

urlz.fr

rondgeusbe-f69b39.ingress-erytho.ewp.live

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	104.21.234.214	443	3656	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 22:47:23 UTC	654	OUT	GET /rRBY HTTP/1.1 Host: urlz.fr Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-27 22:47:24 UTC	756	IN	HTTP/1.1 302 Found Date: Tue, 27 Aug 2024 22:47:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close location: https://rondgeusbe-f69b39.ingress-erytho.ewp.live/wp-content/plugins/esidem/pages/region.php expires: Tue, 27 Aug 2024 22:48:24 GMT Cache-Control: max-age=60 x-fastcgi-cache: HIT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jWTKoeeAOk7q9v9MaR81lCESsixr1ZawpyEDOHetqJ81l0qdsgCNG0y%2BdaUi88zUwmHzYtXHwI1pu0FZdEj0zM5jRXlB6bXM8N2Iy7Q7oqW2dOSz%2FX%2Fzxd9B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b9f9a671fa94205-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 22:47:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	63.250.43.133	443	3656	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 22:47:25 UTC	726	OUT	GET /wp-content/plugins/esidem/pages/region.php HTTP/1.1 Host: rondgeusbe-f69b39.ingress-erytho.ewp.live Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-27 22:47:25 UTC	135	IN	HTTP/1.1 404 Not Found content-type: text/html date: Tue, 27 Aug 2024 22:47:25 GMT transfer-encoding: chunked connection: close
2024-08-27 22:47:25 UTC	4097	IN	Data Raw: 46 46 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 Data Ascii: FFA<!doctype html><html class="no-js" lang=""><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>Website not found</title> <meta name="description" content=""> <meta name="viewport" conte
2024-08-27 22:47:25 UTC	16328	IN	Data Raw: 33 46 43 30 0d 0a 71 68 76 61 36 42 62 6f 6a 58 62 2f 76 56 53 53 70 34 53 4a 43 33 48 53 54 5a 37 38 6a 51 51 41 35 46 39 4e 77 41 72 62 78 34 79 54 74 67 42 58 66 50 4e 75 47 64 62 69 4a 59 56 4e 52 6a 38 36 63 53 4a 75 75 6a 32 31 42 66 6a 70 35 32 50 58 41 53 53 69 43 31 51 45 2f 30 69 4b 6d 78 61 55 74 67 41 4a 79 57 37 55 51 69 69 69 73 77 6b 33 62 51 47 51 54 30 6e 4d 2f 46 6c 30 31 65 61 6d 4c 59 42 53 38 72 77 73 34 4e 50 65 62 4d 4a 4e 57 77 43 73 75 62 4f 6d 50 64 4d 73 42 45 79 34 61 51 73 41 37 4a 49 64 41 53 62 63 54 41 52 49 5a 4c 6b 41 70 64 43 73 7a 55 31 66 41 4d 56 36 53 79 46 54 52 77 34 47 33 50 51 46 59 4b 7a 50 45 62 77 30 47 72 57 35 61 51 75 41 48 5a 63 32 53 4c 47 30 4d 65 47 6d 4c 51 41 65 51 4a 54 73 4c 57 44 43 54 56 73 41 78 Data Ascii: 3FC0qhva6BbojXb/vVSSp4SJC3HSTZ78jQQA5F9NwArbx4yTtgBXfPNuGdbiJYVNRj86cSJuuj21Bfjp52PXASSiC1QE/0iKmxaUtgAJyW7UQiiiswk3bQGQT0nM/Fl01eamLYBS8rws4NPebMJNWwCsubOmPdMsBEy4aQsA7JIdASbcTARIZLkApdCszU1fAMV6SyFTRw4G3PQFYKzPEbw0GrW5aQuAHZc2SLG0MeGmLQAeQJTsLWDCTVsAx
2024-08-27 22:47:25 UTC	16320	IN	Data Raw: 33 46 42 38 0d 0a 66 2f 65 7a 58 33 2f 36 35 4b 53 39 6e 4d 4b 32 4d 57 61 32 79 4c 6c 46 66 30 52 41 61 63 38 75 79 56 77 71 79 67 6c 4b 6f 61 4b 55 48 31 78 65 6e 39 33 4d 4e 41 6f 62 6a 48 43 4b 4d 7a 55 4d 55 36 51 32 5a 4e 37 31 37 7a 44 5a 33 72 76 46 65 4b 45 56 46 54 55 4e 4c 6c 33 6e 59 65 30 37 4b 65 69 48 43 49 53 6f 75 61 63 4e 57 37 49 53 39 4a 78 2b 79 72 61 63 46 70 41 51 4c 43 6b 38 30 4e 7a 59 64 45 68 33 4c 52 33 6e 73 50 78 66 30 51 74 5a 4c 72 74 39 6a 6c 36 2f 36 38 65 30 37 66 67 77 2f 2b 64 6b 76 64 52 6d 70 52 61 6d 64 2b 6b 52 70 65 6f 58 33 32 68 74 76 76 66 50 65 68 38 72 50 54 4c 6c 39 5a 4d 62 78 43 67 49 65 2f 61 6b 69 51 69 6c 4f 57 43 55 64 77 67 67 37 79 38 49 55 72 41 58 48 42 44 66 4a 65 35 46 58 5a 73 50 61 51 43 41 51 Data Ascii: 3FB8f/ezX3/65KS9nMK2MWa2yLlFf0RAac8uyVwqyglKoaKUH1xen93MNAobjHCKMzUMU6Q2ZN717zDZ3rvFeKEVFTUNLl3nYe07KeiHCISouacNW7IS9Jx+yracFpAQLCk80NzYdEh3LR3nsPxf0QtZLrt9jl6/68e07fgw/+dkvdRmpRamd+kRpeoX32htvvfPeh8rPTLl9ZMbxCgIe/akiQilOWCUdwgg7y8IUrAXHBDfJe5FXZsPaQCAQ
2024-08-27 22:47:25 UTC	16328	IN	Data Raw: 33 46 43 30 0d 0a 30 6d 72 41 6e 62 4d 31 65 69 5a 7a 57 42 54 32 32 56 63 6a 77 31 34 67 74 68 30 32 75 47 35 4a 61 4d 79 7a 4c 39 58 33 6a 69 76 7a 66 48 49 44 68 52 48 37 31 31 5a 70 69 44 6f 2f 74 55 75 52 2f 31 2b 41 57 64 37 6a 56 6b 43 36 43 56 6b 32 70 2b 62 4d 69 71 76 76 6b 33 66 76 65 35 50 4d 76 43 47 2f 66 65 68 71 5a 6f 2b 6a 4d 79 4e 37 51 43 57 59 75 31 7a 55 4d 73 43 52 4f 6c 33 39 37 56 69 59 59 69 68 6d 53 4c 32 4b 4a 74 76 56 38 65 38 47 75 52 74 39 47 68 41 31 61 4a 2b 52 62 70 33 33 49 37 4a 6c 62 2b 68 41 44 63 31 68 30 7a 68 53 71 38 6d 35 39 52 51 63 62 69 2b 64 73 5a 51 77 54 4e 36 39 71 39 58 43 78 36 32 62 4f 68 31 43 51 32 4a 6e 7a 6f 64 6e 55 65 72 59 63 78 49 44 55 31 33 2f 42 46 57 74 73 4d 45 6f 49 7a 6a 4f 44 67 43 48 32 Data Ascii: 3FC00mrAnbM1eiZzWBT22Vcjw14gth02uG5JaMyzL9X3jivzfHIDhRH711ZpiDo/tUuR/1+AWd7jVkC6CVk2p+bMiqvvk3fve5PMvCG/fehqZo+jMyN7QCWYu1zUMsCROl397ViYYihmSL2KJtvV8e8GuRt9GhA1aJ+Rbp33I7Jlb+hADc1h0zhSq8m59RQcbi+dsZQwTN69q9XCx62bOh1CQ2JnzodnUerYcxIDU13/BFWtsMEoIzjODgCH2
2024-08-27 22:47:25 UTC	16320	IN	Data Raw: 33 46 42 38 0d 0a 55 77 2b 31 45 4d 67 53 33 54 33 62 33 34 55 33 50 71 31 75 51 39 50 65 4e 73 46 39 63 73 30 37 6b 54 72 33 65 72 47 47 36 67 73 39 71 51 53 6d 30 51 2b 65 63 50 71 4a 54 58 6d 74 79 79 6e 2f 4a 6d 2f 61 77 50 54 79 4f 34 79 78 59 32 30 56 58 32 39 47 67 4e 6b 2b 4f 6a 75 78 66 30 53 2f 51 46 65 55 57 43 70 69 67 61 47 67 36 57 42 54 5a 42 38 4f 6a 76 77 53 32 6a 54 38 41 48 4b 42 6c 51 42 4d 78 37 7a 57 6f 74 48 58 6f 57 38 6a 55 51 65 7a 49 4e 4d 43 7a 2f 45 33 44 4a 70 76 6c 38 57 6d 77 68 52 7a 57 67 34 46 6e 6f 4b 36 70 6b 6e 74 46 4c 6a 55 63 62 42 52 4b 48 56 37 7a 62 70 31 2b 78 65 69 74 49 77 6a 46 4f 2f 65 59 4f 75 63 45 4c 6a 55 47 6d 39 59 64 38 6c 43 2b 71 57 55 38 77 49 42 4e 79 67 37 32 46 41 54 34 7a 63 50 53 6f 79 57 59 Data Ascii: 3FB8Uw+1EMgS3T3b34U3Pq1uQ9PeNsF9cs07kTr3erGG6gs9qQSm0Q+ecPqJTXmtyyn/Jm/awPTyO4yxY20VX29GgNk+Ojuxf0S/QFeUWCpigaGg6WBTZB8OjvwS2jT8AHKBlQBMx7zWotHXoW8jUQezINMCz/E3DJpvl8WmwhRzWg4FnoK6pkntFLjUcbBRKHV7zbp1+xeitIwjFO/eYOucELjUGm9Yd8lC+qWU8wIBNyg72FAT4zcPSoyWY
2024-08-27 22:47:25 UTC	277	IN	Data Raw: 31 30 45 0d 0a 69 76 6e 74 76 7a 55 4d 44 4d 78 76 47 55 4d 55 47 42 67 6d 67 2b 51 59 76 7a 43 64 41 6c 49 4b 44 44 77 41 36 48 51 4d 6c 51 42 34 32 6f 31 56 61 32 67 63 56 52 67 39 33 7a 65 4e 6a 37 5a 4a 32 32 31 65 6a 57 32 61 64 6d 50 54 4a 4c 76 64 58 5a 76 47 74 63 33 44 54 62 4b 37 62 52 35 61 58 55 6d 73 4a 4a 42 69 66 53 4e 56 4d 64 69 49 6b 43 4c 30 6a 79 68 57 45 4b 46 51 68 42 61 74 69 6c 51 52 72 50 2b 6c 2b 4d 63 58 56 49 31 59 61 72 53 4b 32 6d 67 6f 4e 6d 42 46 71 6e 51 38 33 33 56 57 34 7a 61 42 58 54 68 37 5a 75 62 4f 33 44 76 33 66 4f 64 38 67 36 66 68 66 6a 4c 41 50 7a 76 2b 6d 73 64 68 39 4d 6f 44 53 4f 70 52 72 4e 63 6f 61 72 33 74 57 4b 63 48 45 4d 45 6b 6b 6a 4b 4d 4b 46 45 71 42 39 41 6b 48 36 49 4a 5a 37 46 42 4c 71 45 4c 33 36 Data Ascii: 10EivntvzUMDMxvGUMUGBgmg+QYvzCdAlIKDDwA6HQMlQB42o1Va2gcVRg93zeNj7ZJ221ejW2admPTJLvdXZvGtc3DTbK7bR5aXUmsJJBifSNVMdiIkCL0jyhWEKFQhBatilQRrP+l+McXVI1YarSK2mgoNmBFqnQ833VW4zaBXTh7ZubO3Dv3fOd8g6fhfjLAPzv+msdh9MoDSOpRrNcoar3tWKcHEMEkkjKMKFEqB9AkH6IJZ7FBLqEL36
2024-08-27 22:47:25 UTC	16328	IN	Data Raw: 33 46 43 30 0d 0a 48 35 62 53 6a 54 4d 44 5a 70 42 6c 76 6b 65 31 54 6f 4b 42 4b 38 74 6c 48 4b 30 53 56 4c 30 53 6c 66 6f 6c 61 42 74 45 78 78 37 76 4f 6f 38 56 37 6a 76 55 65 78 52 4a 2f 48 69 4a 37 45 5a 6a 31 46 54 68 4e 68 59 68 59 33 36 42 52 47 5a 41 58 78 43 2b 66 64 77 57 73 62 4d 4f 77 39 68 52 45 50 78 44 55 63 7a 77 56 38 44 38 65 32 63 50 32 74 58 50 4e 74 44 4f 70 2b 6c 48 76 76 6f 6b 59 48 73 56 67 66 51 6f 6a 76 56 69 37 33 34 55 35 4e 59 69 57 35 55 6d 74 51 4a 35 39 78 37 2b 39 6a 54 4b 76 51 77 50 48 74 57 6f 61 49 70 68 44 56 61 6b 53 34 33 77 70 64 68 6a 55 38 37 38 4d 30 32 6e 48 42 50 79 58 66 6f 52 63 2f 6f 64 64 37 41 58 31 32 58 56 76 52 37 4c 69 4e 39 30 2b 67 54 7a 37 47 61 6e 6d 4f 61 36 57 51 31 57 76 35 76 6a 4f 6f 6b 49 74 Data Ascii: 3FC0H5bSjTMDZpBlvke1ToKBK8tlHK0SVL0SlfolaBtExx7vOo8V7jvUexRJ/HiJ7EZj1FThNhYhY36BRGZAXxC+fdwWsbMOw9hREPxDUczwV8D8e2cP2tXPNtDOp+lHvvokYHsVgfQojvVi734U5NYiW5UmtQJ59x7+9jTKvQwPHtWoaIphDVakS43wpdhjU878M02nHBPyXfoRc/odd7AX12XVvR7LiN90+gTz7GanmOa6WQ1Wv5vjOokIt
2024-08-27 22:47:25 UTC	16328	IN	Data Raw: 33 46 43 30 0d 0a 32 32 56 49 2b 73 44 76 61 62 65 73 57 4a 58 7a 59 30 31 46 58 61 75 39 63 30 4e 49 78 62 42 39 59 79 33 57 6a 64 55 67 30 35 41 59 53 50 74 6b 67 49 6c 48 78 38 50 37 39 62 53 2b 65 4c 30 6e 47 37 6c 73 4b 44 4b 64 53 67 31 6e 76 54 7a 73 51 65 6c 67 37 6a 47 58 4b 65 77 77 6b 73 43 2b 62 52 78 64 2f 44 6e 63 31 4c 39 34 43 63 6e 69 63 65 7a 4c 65 53 71 34 4d 42 6a 38 73 4a 64 6f 48 46 77 46 73 51 38 6d 68 41 30 4d 31 45 53 52 57 6d 5a 4d 4c 72 51 71 52 56 6c 31 4d 6c 6f 56 36 58 53 47 2f 76 36 4b 77 47 6b 4e 70 68 48 32 39 36 74 77 2b 4f 4c 4a 78 33 37 68 6b 6a 56 36 58 58 56 6f 30 4d 74 57 52 65 57 4e 50 65 49 5a 39 58 76 38 36 34 66 55 66 5a 65 33 37 77 6e 72 4c 74 38 32 56 37 61 74 65 57 5a 57 34 6f 47 39 73 7a 74 56 42 47 4c 79 6e Data Ascii: 3FC022VI+sDvabesWJXzY01FXau9c0NIxbB9Yy3WjdUg05AYSPtkgIlHx8P79bS+eL0nG7lsKDKdSg1nvTzsQelg7jGXKewwksC+bRxd/Dnc1L94CcnicezLeSq4MBj8sJdoHFwFsQ8mhA0M1ESRWmZMLrQqRVl1MloV6XSG/v6KwGkNphH296tw+OLJx37hkjV6XXVo0MtWReWNPeIZ9Xv864fUfZe37wnrLt82V7ateWZW4oG9sztVBGLyn
2024-08-27 22:47:25 UTC	12100	IN	Data Raw: 32 46 33 43 0d 0a 55 51 57 6b 37 35 39 43 68 65 59 48 57 4d 6e 66 35 62 35 7a 4c 33 4c 58 63 4c 73 2f 56 45 51 54 46 64 42 49 66 6f 45 4c 4d 4e 6b 31 6b 6c 69 69 4b 76 42 79 6a 64 41 73 44 7a 78 45 4a 6c 43 63 66 4d 2b 70 6d 70 38 42 62 46 47 72 61 75 6c 38 59 79 48 36 42 76 44 69 5a 72 31 5a 6b 78 59 41 76 33 4d 4a 38 4e 54 69 49 61 6c 74 63 6d 4b 41 36 62 6a 56 56 69 45 6f 5a 41 45 4c 6d 59 61 63 75 53 4d 46 68 76 73 77 56 6d 67 33 4b 4b 46 79 6f 59 73 4e 75 54 56 54 68 37 79 4f 36 33 2b 35 4a 70 4f 4c 64 6d 56 4b 2b 63 69 58 79 73 5a 6e 46 61 5a 46 42 64 2b 63 55 4c 73 78 6a 4f 2f 4a 4c 68 31 35 6a 6e 79 36 33 50 76 4b 6a 48 4e 46 32 6a 6f 48 6c 78 55 37 46 39 74 52 70 73 30 63 73 35 39 45 4e 46 71 45 38 31 31 6f 48 36 69 46 58 69 41 56 4d 2b 69 6d 4e Data Ascii: 2F3CUQWk759CheYHWMnf5b5zL3LXcLs/VEQTFdBIfoELMNk1kliiKvByjdAsDzxEJlCcfM+pmp8BbFGraul8YyH6BvDiZr1ZkxYAv3MJ8NTiIaltcmKA6bjVViEoZAELmYacuSMFhvswVmg3KKFyoYsNuTVTh7yO63+5JpOLdmVK+ciXysZnFaZFBd+cULsxjO/JLh15jny63PvKjHNF2joHlxU7F9tRps0cs59ENFqE811oH6iFXiAVM+imN
2024-08-27 22:47:25 UTC	16328	IN	Data Raw: 33 46 43 30 0d 0a 58 58 59 79 30 35 6c 73 42 61 79 75 4c 49 53 37 6d 49 53 39 2f 4f 77 78 59 39 38 46 49 4f 53 33 69 39 74 34 2f 54 35 34 41 66 50 56 4b 6e 43 78 61 30 47 32 74 77 6a 6d 41 6c 43 38 57 6a 42 2f 79 5a 45 57 53 59 42 42 44 63 52 48 41 57 4d 62 63 2b 79 34 72 6a 42 55 37 43 70 4d 75 50 58 6f 62 32 56 5a 53 5a 30 38 52 36 79 5a 4e 50 54 71 56 57 72 6f 69 73 48 53 7a 74 70 72 64 64 58 30 48 37 61 58 71 43 42 6e 73 32 56 72 6f 53 67 32 56 79 66 62 69 46 62 76 4a 58 6b 4c 4d 59 74 2f 70 39 4b 52 67 67 4a 71 47 38 44 47 53 74 67 32 42 57 43 69 39 71 59 5a 54 58 51 78 51 7a 56 74 6d 46 55 75 5a 51 44 65 76 4b 57 2f 42 46 6b 4f 54 48 62 6b 61 39 4c 50 43 73 64 31 6c 74 4c 71 38 35 35 4b 30 74 6b 55 6a 79 38 6b 4a 6c 6d 67 6f 61 72 5a 6f 51 37 4b 44 Data Ascii: 3FC0XXYy05lsBayuLIS7mIS9/OwxY98FIOS3i9t4/T54AfPVKnCxa0G2twjmAlC8WjB/yZEWSYBBDcRHAWMbc+y4rjBU7CpMuPXob2VZSZ08R6yZNPTqVWroisHSztprddX0H7aXqCBns2VroSg2VyfbiFbvJXkLMYt/p9KRggJqG8DGStg2BWCi9qYZTXQxQzVtmFUuZQDevKW/BFkOTHbka9LPCsd1ltLq855K0tkUjy8kJlmgoarZoQ7KD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 22:47:27 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-27 22:47:27 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF17) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=60779 Date: Tue, 27 Aug 2024 22:47:27 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 22:47:28 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-27 22:47:28 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=64692 Date: Tue, 27 Aug 2024 22:47:28 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-27 22:47:28 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 2180, Parent PID: 5376

General

Target ID:	0
Start time:	18:47:17
Start date:	27/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3656, Parent PID: 2180

General

Target ID:	2
Start time:	18:47:20
Start date:	27/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1952,i,2442161772945327702,3741709587517037170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 1472, Parent PID: 5376

General

Target ID:	3
Start time:	18:47:22
Start date:	27/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://urlz.fr/rRBY"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://urlz.fr/rRBY

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping2180_26709254\sets.json

Chrome Cache Entry: 129

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 2180, Parent PID: 5376

General

Windows Analysis Report
https://urlz.fr/rRBY