Edit tour

Windows Analysis Report
https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwh

Overview

General Information

Sample URL:	https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%ad
Analysis ID:	1524242
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected suspicious crossdomain redirect

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 7092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 344 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=1908,i,10956074042395917505,4996520690620186931,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49721 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49718 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: www.google.com.bo to http://hwmtfel.bdkziufdiaaggtmn.com/4wjrhlzfn

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49721 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.137
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.137
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi HTTP/1.1Host: www.google.com.boConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /amp/hwmtfel.bd%C2%ADk%C2%ADzi%C2%ADu%C2%ADf%C2%ADd%C2%ADi%C2%ADaa%C2%ADgg%C2%ADtmn.com/4wjrhlzfn HTTP/1.1Host: www.google.com.boConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=wKsL7ppnYVZ8oGGUgyZ3OLdPJF7uTl9sXL13fnpfebubaOfpDjeafrTOEYcZWuba5FuYVCWYjbkKijHln4KsOf2E8t3hHZB-10XgZyKCra1iBkbPrl-VAuzDIo_-rES6z_eM_7DheDACUItADAoyMfDUgYIZOk3K80paYVL_ZSGGX1a2p7L0JLXTHgmDQ_nN
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /4wjrhlzfn HTTP/1.1Host: hwmtfel.bdkziufdiaaggtmn.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4wjrhlzfn HTTP/1.1Host: hwmtfel.bdkziufdiaaggtmn.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4wjrhlzfn HTTP/1.1Host: hwmtfel.bdkziufdiaaggtmn.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4wjrhlzfn HTTP/1.1Host: hwmtfel.bdkziufdiaaggtmn.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4wjrhlzfn HTTP/1.1Host: hwmtfel.bdkziufdiaaggtmn.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com.bo
Source: global traffic	DNS traffic detected: DNS query: hwmtfel.bdkziufdiaaggtmn.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49718 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@19/6@6/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=1908,i,10956074042395917505,4996520690620186931,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=1908,i,10956074042395917505,4996520690620186931,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
hwmtfel.bdkziufdiaaggtmn.com	94.156.64.140	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
www.google.com.bo	142.250.181.227	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi	false	unknown
https://www.google.com.bo/amp/hwmtfel.bd%C2%ADk%C2%ADzi%C2%ADu%C2%ADf%C2%ADd%C2%ADi%C2%ADaa%C2%ADgg%C2%ADtmn.com/4wjrhlzfn	false	unknown
http://hwmtfel.bdkziufdiaaggtmn.com/4wjrhlzfn	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.227	www.google.com.bo	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
94.156.64.140	hwmtfel.bdkziufdiaaggtmn.com	Bulgaria	31420	TERASYST-ASBG	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.10
192.168.2.9

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524242
Start date and time:	2024-10-02 16:31:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@19/6@6/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.131, 216.58.206.46, 142.251.173.84, 34.104.35.123, 20.12.23.50, 13.95.31.18, 192.229.221.95, 20.3.187.198, 216.58.212.163
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:32:31 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.973778668527767
Encrypted:	false
SSDEEP:	48:8AsDdaTTXsXH8idAKZdA1P4ehwiZUklqeh1y+3:8A/IeOmy
MD5:	4C28BAD2889C38ECBCAA2D7F0DC47EA4
SHA1:	3D8B0300972D133AD1596496747C0836D0F28BFB
SHA-256:	512EAA29CA9C715BE158197FA0EBB3381DBB2A388EC615B119FEF4C9847E59C1
SHA-512:	3D4354835DBE3D7BDF22C6145380397D439D02E6800F78BF2CB1B765518D0D25413576B31D25E65DE9CCE43CB97D0DFBB607491A283538420CE2255773460F83
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,...._.........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY.t....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY.t....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY.t.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.t...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........E1.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:32:31 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9930141827154033
Encrypted:	false
SSDEEP:	48:8VDdaTTXsXH8idAKZdA1+4eh/iZUkAQkqehWy+2:80IfF9QLy
MD5:	EC4E5C0A88F80F5A1641616CFC8E3701
SHA1:	BC1C1BAB9A0FFE07BD77497B5783EF1AC9BE4D59
SHA-256:	0C86AF15424AF5AA96A4BA39E20994007300E02AEAE78D023E67C0FBCE751EE0
SHA-512:	D6FE2F7CDF92635F882834503C8691788A67BFA3FB2C802570A7AB4FE6D3E47499FD564B3359E16CF9E7C40DF866C8C647700ED7B3249F4E429DF39DC723BB26
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.............v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY.t....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY.t....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY.t.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.t...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........E1.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:56:51 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.000115927782469
Encrypted:	false
SSDEEP:	48:8QdaTTXsVH8idAKZdA1404eh7sFiZUkmgqeh7sEy+BX:87I8Inqy
MD5:	6CCEF2E820837293F714ED585C9DE7AB
SHA1:	D1715CA7F7906588296C28A621AB37E8A72D6036
SHA-256:	0EAAC9C7E8A2F465E1954AAE7117FAB10DF5CCA75B95785BB6EB85D745D4665C
SHA-512:	DBE86E7DA9F9ACB8052BBF3874ED6560C122C007AD471E309346F0D24A067AD9E3ADA064D775CD5EEDABCC36F07C7DC96D91950D2DBC31922BBBE47FE33ADEA5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....<}.i.....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY.t....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY.t....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY.t.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VEW.F...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........E1.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:32:31 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9899333771069627
Encrypted:	false
SSDEEP:	48:8MDdaTTXsXH8idAKZdA1p4ehDiZUkwqehCy+R:8fIo58y
MD5:	CAF438EE505FA206377629EA40B298AF
SHA1:	634778A58175614F6E7D6A95C7F07B9627B244FB
SHA-256:	72E18F567F256ECBC4D5042EB5A0758A33A638FB37A91220919CE5479E31E903
SHA-512:	E55E6C63C2CB890E42FB3A032DDF93A0FF0292753CCFCB2166FCFA67BBDE6078EFF5A98C0E5DFCE9D5692C1A6400F1B168571E8F2378CA665C9102C5C2F67C2D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....n.........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY.t....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY.t....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY.t.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.t...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........E1.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:32:31 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.978560207530175
Encrypted:	false
SSDEEP:	48:8ODdaTTXsXH8idAKZdA1X4ehBiZUk1W1qehIy+C:8RImb9oy
MD5:	D739CA2FF43523222CE03CE6611D04C2
SHA1:	812D85D2E8376AF421EE546475D495D902F36AD7
SHA-256:	7FD517FA4EF302489AD1721D61648A92C8B564B4E23C63217E242B79001FEFE5
SHA-512:	17FED9283509AB7CD06E2272F873D3B599BD12A4F802D1C567ECE0F6D832CD063482E0BB07700BDAE43403CA3F69E1D8CC954E8F641D6DA5D09A86376FBB12DF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....X.........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY.t....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY.t....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY.t.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.t...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........E1.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 2 13:32:30 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9861279110561454
Encrypted:	false
SSDEEP:	48:8FDdaTTXsXH8idAKZdA1duTc4ehOuTbbiZUk5OjqehOuTbqy+yT+:8EIbTcJTbxWOvTbqy7T
MD5:	92FB08FF3F154929CDA2ED251F9FC3EC
SHA1:	9B03AFCFF3D32096CDE3362898B3E62DD8F33507
SHA-256:	7FDE44B5DF2F1BA8D28FB9B8694C7AFFD40D5B1219587A835852EA3F3FE73716
SHA-512:	165549F0CFB4097F89C6F64458A0EB8148F06017E9F729205C17BBA4EBA8A5A394EC8ED38444554CA9C7A375156159E1418C5796FAAC2E2BCA6126DF61611C6F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Ak........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IBY.t....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VBY.t....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VBY.t....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VBY.t.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VBY.t...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........E1.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 16:32:18.826185942 CEST	49677	443	192.168.2.9	20.189.173.11
Oct 2, 2024 16:32:20.419570923 CEST	49675	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:20.419590950 CEST	49676	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:20.716409922 CEST	49674	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:23.638290882 CEST	49677	443	192.168.2.9	20.189.173.11
Oct 2, 2024 16:32:24.841459990 CEST	49673	443	192.168.2.9	204.79.197.203
Oct 2, 2024 16:32:30.140561104 CEST	49675	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:30.140561104 CEST	49676	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:30.343657970 CEST	49674	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:30.681564093 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:30.681586027 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:30.681673050 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:30.682249069 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:30.682256937 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:30.682553053 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:30.682570934 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:30.685678959 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:30.685992002 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:30.686000109 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.328758001 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.331255913 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.331267118 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.332302094 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.332364082 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.334784031 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.334837914 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.335076094 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.335081100 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.345681906 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.353683949 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.353701115 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.354748011 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.354801893 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.357448101 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.357496977 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.377471924 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.409323931 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.409342051 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.454164982 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.629277945 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.629731894 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.629812956 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.630414009 CEST	49712	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.630435944 CEST	443	49712	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.633331060 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.679399014 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.867559910 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.868386984 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.868485928 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.886348963 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.886372089 CEST	443	49711	142.250.181.227	192.168.2.9
Oct 2, 2024 16:32:31.886389017 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.886429071 CEST	49711	443	192.168.2.9	142.250.181.227
Oct 2, 2024 16:32:31.909630060 CEST	49715	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:31.915540934 CEST	80	49715	94.156.64.140	192.168.2.9
Oct 2, 2024 16:32:31.915648937 CEST	49715	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:31.915868998 CEST	49715	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:31.920733929 CEST	80	49715	94.156.64.140	192.168.2.9
Oct 2, 2024 16:32:32.009449959 CEST	443	49704	23.206.229.209	192.168.2.9
Oct 2, 2024 16:32:32.009666920 CEST	49704	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:33.177309036 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:33.177335978 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:33.177393913 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:33.178045034 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:33.178055048 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:33.251245022 CEST	49677	443	192.168.2.9	20.189.173.11
Oct 2, 2024 16:32:33.860131979 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:33.860511065 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:33.860521078 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:33.861627102 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:33.861675978 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:33.911072016 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:33.911127090 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:33.911202908 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:33.923948050 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:33.923971891 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.111485958 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:34.111648083 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:34.157145977 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:34.157160997 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:34.205043077 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:34.572264910 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.572432041 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:34.630091906 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:34.630129099 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.630465031 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.673381090 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:34.756380081 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:34.799426079 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.968825102 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.968907118 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:34.968983889 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.019249916 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.019294977 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.019340992 CEST	49717	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.019349098 CEST	443	49717	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.270692110 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.270750999 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.270818949 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.271173000 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.271187067 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.906955004 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.907053947 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.914504051 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.914555073 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.914901972 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:35.918736935 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:35.959472895 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:36.183844090 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:36.183917046 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:36.183979988 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:36.185185909 CEST	49718	443	192.168.2.9	184.28.90.27
Oct 2, 2024 16:32:36.185206890 CEST	443	49718	184.28.90.27	192.168.2.9
Oct 2, 2024 16:32:42.932610035 CEST	49704	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:42.932692051 CEST	49704	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:42.933125973 CEST	49721	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:42.933180094 CEST	443	49721	23.206.229.209	192.168.2.9
Oct 2, 2024 16:32:42.933300972 CEST	49721	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:42.933571100 CEST	49721	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:42.933578968 CEST	443	49721	23.206.229.209	192.168.2.9
Oct 2, 2024 16:32:42.937592030 CEST	443	49704	23.206.229.209	192.168.2.9
Oct 2, 2024 16:32:42.937618971 CEST	443	49704	23.206.229.209	192.168.2.9
Oct 2, 2024 16:32:43.529349089 CEST	443	49721	23.206.229.209	192.168.2.9
Oct 2, 2024 16:32:43.529455900 CEST	49721	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:32:43.757222891 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:43.757302046 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:43.757873058 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:45.363955021 CEST	49716	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:32:45.363980055 CEST	443	49716	216.58.206.68	192.168.2.9
Oct 2, 2024 16:32:53.318224907 CEST	80	49715	94.156.64.140	192.168.2.9
Oct 2, 2024 16:32:53.319478989 CEST	49715	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:53.320236921 CEST	49715	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:53.324971914 CEST	80	49715	94.156.64.140	192.168.2.9
Oct 2, 2024 16:32:54.382307053 CEST	49722	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:54.383194923 CEST	49723	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:54.387809038 CEST	80	49722	94.156.64.140	192.168.2.9
Oct 2, 2024 16:32:54.387904882 CEST	49722	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:54.388042927 CEST	80	49723	94.156.64.140	192.168.2.9
Oct 2, 2024 16:32:54.388092041 CEST	49723	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:54.449776888 CEST	49723	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:32:54.454776049 CEST	80	49723	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:02.704474926 CEST	443	49721	23.206.229.209	192.168.2.9
Oct 2, 2024 16:33:02.704629898 CEST	49721	443	192.168.2.9	23.206.229.209
Oct 2, 2024 16:33:13.031681061 CEST	49705	80	192.168.2.9	2.19.126.137
Oct 2, 2024 16:33:13.037672997 CEST	80	49705	2.19.126.137	192.168.2.9
Oct 2, 2024 16:33:13.037764072 CEST	49705	80	192.168.2.9	2.19.126.137
Oct 2, 2024 16:33:15.736239910 CEST	80	49723	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:15.736383915 CEST	49723	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.742069006 CEST	49723	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.742628098 CEST	49722	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.748266935 CEST	80	49723	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:15.749263048 CEST	80	49722	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:15.770144939 CEST	80	49722	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:15.770251989 CEST	49722	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.770391941 CEST	49722	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.770961046 CEST	49724	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.775489092 CEST	80	49722	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:15.776027918 CEST	80	49724	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:15.776279926 CEST	49724	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.776416063 CEST	49724	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:15.782007933 CEST	80	49724	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:33.220529079 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:33.220570087 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:33.220649958 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:33.221025944 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:33.221040010 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:33.862227917 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:33.862649918 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:33.862662077 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:33.862946987 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:33.863657951 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:33.863717079 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:33.905998945 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:37.188823938 CEST	80	49724	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:37.189146996 CEST	49724	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:37.195401907 CEST	49724	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:37.200349092 CEST	80	49724	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:42.249759912 CEST	49728	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:42.250231981 CEST	49729	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:42.254921913 CEST	80	49728	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:42.255000114 CEST	49728	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:42.255096912 CEST	80	49729	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:42.255148888 CEST	49729	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:42.292478085 CEST	49729	80	192.168.2.9	94.156.64.140
Oct 2, 2024 16:33:42.297727108 CEST	80	49729	94.156.64.140	192.168.2.9
Oct 2, 2024 16:33:43.769557953 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:43.769610882 CEST	443	49727	216.58.206.68	192.168.2.9
Oct 2, 2024 16:33:43.769649982 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:45.362376928 CEST	49727	443	192.168.2.9	216.58.206.68
Oct 2, 2024 16:33:45.362416029 CEST	443	49727	216.58.206.68	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 16:32:29.117599010 CEST	53	51508	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:29.130898952 CEST	53	58996	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:30.660284042 CEST	59718	53	192.168.2.9	1.1.1.1
Oct 2, 2024 16:32:30.660605907 CEST	57069	53	192.168.2.9	1.1.1.1
Oct 2, 2024 16:32:30.667222023 CEST	53	59718	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:30.701176882 CEST	53	57069	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:30.723294973 CEST	53	61994	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:31.889461040 CEST	63569	53	192.168.2.9	1.1.1.1
Oct 2, 2024 16:32:31.889600039 CEST	56044	53	192.168.2.9	1.1.1.1
Oct 2, 2024 16:32:31.904082060 CEST	53	56044	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:31.908997059 CEST	53	63569	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:33.166373014 CEST	51033	53	192.168.2.9	1.1.1.1
Oct 2, 2024 16:32:33.166994095 CEST	58117	53	192.168.2.9	1.1.1.1
Oct 2, 2024 16:32:33.173532009 CEST	53	51033	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:33.174074888 CEST	53	58117	1.1.1.1	192.168.2.9
Oct 2, 2024 16:32:47.761055946 CEST	53	53382	1.1.1.1	192.168.2.9
Oct 2, 2024 16:33:06.493611097 CEST	53	62095	1.1.1.1	192.168.2.9
Oct 2, 2024 16:33:13.741889000 CEST	138	138	192.168.2.9	192.168.2.255
Oct 2, 2024 16:33:28.685756922 CEST	53	50126	1.1.1.1	192.168.2.9
Oct 2, 2024 16:33:29.256194115 CEST	53	50869	1.1.1.1	192.168.2.9

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 2, 2024 16:32:30.703634024 CEST	192.168.2.9	1.1.1.1	c228	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 16:32:30.660284042 CEST	192.168.2.9	1.1.1.1	0xc85c	Standard query (0)	www.google.com.bo	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:32:30.660605907 CEST	192.168.2.9	1.1.1.1	0xccc8	Standard query (0)	www.google.com.bo	65	IN (0x0001)	false
Oct 2, 2024 16:32:31.889461040 CEST	192.168.2.9	1.1.1.1	0xa1f8	Standard query (0)	hwmtfel.bdkziufdiaaggtmn.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:32:31.889600039 CEST	192.168.2.9	1.1.1.1	0xb1be	Standard query (0)	hwmtfel.bdkziufdiaaggtmn.com	65	IN (0x0001)	false
Oct 2, 2024 16:32:33.166373014 CEST	192.168.2.9	1.1.1.1	0x7078	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:32:33.166994095 CEST	192.168.2.9	1.1.1.1	0xc736	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 16:32:30.667222023 CEST	1.1.1.1	192.168.2.9	0xc85c	No error (0)	www.google.com.bo		142.250.181.227	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:32:31.908997059 CEST	1.1.1.1	192.168.2.9	0xa1f8	No error (0)	hwmtfel.bdkziufdiaaggtmn.com		94.156.64.140	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:32:33.173532009 CEST	1.1.1.1	192.168.2.9	0x7078	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:32:33.174074888 CEST	1.1.1.1	192.168.2.9	0xc736	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 16:32:41.137901068 CEST	1.1.1.1	192.168.2.9	0xe051	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 16:32:41.137901068 CEST	1.1.1.1	192.168.2.9	0xe051	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:02.854479074 CEST	1.1.1.1	192.168.2.9	0xb1e9	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 16:33:02.854479074 CEST	1.1.1.1	192.168.2.9	0xb1e9	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:21.914923906 CEST	1.1.1.1	192.168.2.9	0x34c9	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 16:33:21.914923906 CEST	1.1.1.1	192.168.2.9	0x34c9	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 2, 2024 16:33:41.994539976 CEST	1.1.1.1	192.168.2.9	0x7c2a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 16:33:41.994539976 CEST	1.1.1.1	192.168.2.9	0x7c2a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com.bo

fs.microsoft.com

hwmtfel.bdkziufdiaaggtmn.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49715	94.156.64.140	80	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 16:32:31.915868998 CEST	452	OUT	GET /4wjrhlzfn HTTP/1.1 Host: hwmtfel.bdkziufdiaaggtmn.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49723	94.156.64.140	80	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 16:32:54.449776888 CEST	478	OUT	GET /4wjrhlzfn HTTP/1.1 Host: hwmtfel.bdkziufdiaaggtmn.com Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49722	94.156.64.140	80	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 16:33:15.742628098 CEST	478	OUT	GET /4wjrhlzfn HTTP/1.1 Host: hwmtfel.bdkziufdiaaggtmn.com Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49724	94.156.64.140	80	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 16:33:15.776416063 CEST	478	OUT	GET /4wjrhlzfn HTTP/1.1 Host: hwmtfel.bdkziufdiaaggtmn.com Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49729	94.156.64.140	80	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 16:33:42.292478085 CEST	478	OUT	GET /4wjrhlzfn HTTP/1.1 Host: hwmtfel.bdkziufdiaaggtmn.com Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49712	142.250.181.227	443	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:32:31 UTC	1072	OUT	GET /url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi HTTP/1.1 Host: www.google.com.bo Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 14:32:31 UTC	1080	IN	HTTP/1.1 302 Found Location: https://www.google.com.bo/amp/hwmtfel.bd%C2%ADk%C2%ADzi%C2%ADu%C2%ADf%C2%ADd%C2%ADi%C2%ADaa%C2%ADgg%C2%ADtmn.com/4wjrhlzfn Cache-Control: private Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-bD8p3DV8qQRz-7tsA6Csag' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Wed, 02 Oct 2024 14:32:31 GMT Server: gws Content-Length: 319 X-XSS-Protection: 0 Set-Cookie: NID=518=wKsL7ppnYVZ8oGGUgyZ3OLdPJF7uTl9sXL13fnpfebubaOfpDjeafrTOEYcZWuba5FuYVCWYjbkKijHln4KsOf2E8t3hHZB-10XgZyKCra1iBkbPrl-VAuzDIo_-rES6z_eM_7DheDACUItADAoyMfDUgYIZOk3K80paYVL_ZSGGX1a2p7L0JLXTHgmDQ_nN; expires=Thu, 03-Apr-2025 14:32:31 GMT; path=/; domain=.google.com.bo; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 14:32:31 UTC	310	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2e 62 6f 2f 61 6d 70 2f 68 77 6d 74 66 65 6c 2e 62 64 25 43 32 25 41 44 6b 25 43 32 25 41 44 7a 69 25 43 32 25 41 44 75 25 43 32 25 41 44 66 25 43 32 25 41 44 64 25 43 32 25 41 44 69 25 43 32 25 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com.bo/amp/hwmtfel.bd%C2%ADk%C2%ADzi%C2%ADu%C2%ADf%C2%ADd%C2%ADi%C2%
2024-10-02 14:32:31 UTC	9	IN	Data Raw: 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: </HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49711	142.250.181.227	443	344	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:32:31 UTC	1099	OUT	GET /amp/hwmtfel.bd%C2%ADk%C2%ADzi%C2%ADu%C2%ADf%C2%ADd%C2%ADi%C2%ADaa%C2%ADgg%C2%ADtmn.com/4wjrhlzfn HTTP/1.1 Host: www.google.com.bo Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIu2yQEIo7bJAQipncoBCNT9ygEIkqHLAQiFoM0BCNy9zQEIucrNAQip0c0BCInTzQEIqdXNAQjJ1s0BCPTWzQEIqNjNAQj5wNQVGOmYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=518=wKsL7ppnYVZ8oGGUgyZ3OLdPJF7uTl9sXL13fnpfebubaOfpDjeafrTOEYcZWuba5FuYVCWYjbkKijHln4KsOf2E8t3hHZB-10XgZyKCra1iBkbPrl-VAuzDIo_-rES6z_eM_7DheDACUItADAoyMfDUgYIZOk3K80paYVL_ZSGGX1a2p7L0JLXTHgmDQ_nN
2024-10-02 14:32:31 UTC	832	IN	HTTP/1.1 302 Found Location: http://hwmtfel.bdkziufdiaaggtmn.com/4wjrhlzfn Cache-Control: private X-Robots-Tag: noindex Content-Type: text/html; charset=UTF-8 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-Oitfpw7gVxXOweu5-AILIA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Permissions-Policy: unload=() Date: Wed, 02 Oct 2024 14:32:31 GMT Server: gws Content-Length: 260 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-02 14:32:31 UTC	260	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 68 77 6d 74 66 65 6c 2e 62 64 c2 ad 6b c2 ad 7a 69 c2 ad 75 c2 ad 66 c2 ad 64 c2 ad 69 c2 ad 61 61 c2 ad 67 67 c2 ad 74 6d 6e 2e 63 6f 6d 2f 34 77 6a 72 68 6c 7a 66 6e 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://hwmtfel.bdkziufdiaaggtmn.com/4wjrhlzfn">here</A>.</BODY></HT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49717	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:32:34 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 14:32:34 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=94396 Date: Wed, 02 Oct 2024 14:32:34 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49718	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-02 14:32:35 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-02 14:32:36 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=94338 Date: Wed, 02 Oct 2024 14:32:36 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-02 14:32:36 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 7092, Parent PID: 6124

General

Target ID:	0
Start time:	10:32:22
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 344, Parent PID: 7092

General

Target ID:	2
Start time:	10:32:27
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=1908,i,10956074042395917505,4996520690620186931,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 7116, Parent PID: 6124

General

Target ID:	3
Start time:	10:32:30
Start date:	02/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com.bo/url?url=https://mhisgyqedfumdupn&cbu=kdzjqiw&ciazgy=zqh&ravap=xidzrs&vuk=cqucblc&mzphx=wuwinm&njcs=sjnsjeww&vxvcdkyjnr=oovaswngpm&q=amp/hwmtfel.bd%c2%adk%c2%adzi%c2%adu%c2%adf%c2%add%c2%adi%c2%adaa%c2%adgg%c2%adtmn.com/4wjrhlzfn&xwos=hiteovr&hmvsnsa=adcp&kepbh=lrxcot&fwknwhh=mzi"
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 7092, Parent PID: 6124

General

Chronological Activities

Analysis Process: chrome.exePID: 344, Parent PID: 7092

General

Chronological Activities

Analysis Process: chrome.exePID: 7116, Parent PID: 6124

General

Chronological Activities