Edit tour

Windows Analysis Report
https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr

Overview

General Information

Sample URL:	https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr
Analysis ID:	1592446
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

URL contains potential PII (phishing indication)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4444 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2144,i,11466582671800459223,11533410433076010016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6520 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundAge: 0Cache-Control: public, max-age=0, must-revalidateContent-Length: 207Content-Type: text/html; charset=utf-8Date: Thu, 16 Jan 2025 05:37:03 GMTServer: VercelStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadX-Vercel-Cache: MISSX-Vercel-Id: iad1::iad1::ffmrc-1737005823642-c05257fcfaf0Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?web=org.hel-kr-10000103@hdel.co.kr HTTP/1.1Host: glidepromo.vercel.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: glidepromo.vercel.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.krAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: session=.eJxNzEEKgCAQheG7zLpEG01r1U1CVDLKDHMX3b1ZRW_58fNucPasLtrZZR9ghE6jhObTuiZSoVFzrkyHTPbK4CAaCMke1OeysBj2diut4DTBcYo-7MxlthV6Wo-Lsh89L9qaIk0.Z4ia_w.JlvKR30teMFIenj38UnmjAiCrwM

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: glidepromo.vercel.app

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2144,i,11466582671800459223,11533410433076010016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2144,i,11466582671800459223,11533410433076010016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Name	IP	Active	Malicious	Antivirus Detection	Reputation
glidepromo.vercel.app	64.29.17.129	true	false		unknown
www.google.com	216.58.212.164	true	false		high

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.212.164	www.google.com	United States	15169	GOOGLEUS	false
64.29.17.129	glidepromo.vercel.app	Canada	13768	COGECO-PEER1CA	false

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592446
Start date and time:	2025-01-16 06:35:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@16/6@4/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Input	Output
URL: https://glidepromo.vercel.app Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true, "reasoning": "This is a legitimate URL hosted on Vercel, a popular web hosting platform. The .app TLD is a secure Google-operated domain commonly used for web applications. Vercel is a well-known third-party hosting service for web applications." }
URL: https://glidepromo.vercel.app
URL: https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Enter the CAPTCHA Code", "prominent_button_name": "Submit", "text_input_field_labels": "Captcha Code:", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

IP
192.168.2.23
192.168.2.4

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	207
Entropy (8bit):	4.730905401522706
Encrypted:	false
SSDEEP:	6:qTIuJzh5jdObRZetdzRx3G0CezLRRAyarxtV0rKn:qTpBdeRZetdzRxGezL3Ayar3irK
MD5:	E46C4E5E1FBC64B1BAE9EBD9BCEF7FCF
SHA1:	D767B3CB0AD66544C649E4165FC4B37E3C17E370
SHA-256:	E9639E3C4681CE85F852FBAC48E2EEEE5BA51296DBFEC57C200D59B76237AB80
SHA-512:	D82048FDCFF225197A7E9F0B7F22D470518420A4B10EA3327D604804D04D0D97EFADAFC84A0AAA23650146F59D94373438DC18BB822E26FD60283C384940DDB9
Malicious:	false
Reputation:	low
URL:	https://glidepromo.vercel.app/favicon.ico
Preview:	<!doctype html>.<html lang=en>.<title>404 Not Found</title>.<h1>Not Found</h1>.<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (3008)
Category:	downloaded
Size (bytes):	5690
Entropy (8bit):	5.67613245897295
Encrypted:	false
SSDEEP:	96:qwXLW82Y6Ol975JlbraDKdFUBCXI6mhB+B7wgp+3vmJ2xgAR/S/uEUY4YaTnxn1u:q4a8YOl975Jl1OWI6mymgweJsgARXXcZ
MD5:	D839E9BEC7BF74E3346EFD680A56EF6D
SHA1:	468CB69F59D9AB9EFF1EE79C43727CED42B1AAB3
SHA-256:	9E71D232194C70E28D3646B8919142FF25C82BF1F9AE9E9121C46200D05739E1
SHA-512:	36EB066A2589B42DEDF9966B5B35128472206F62FF9F996DCA9161C7E80E6A28D80F39A137BD392BB132A6FB7BCE6F693F7825487D38B2BB21470F7E3C64DC39
Malicious:	false
Reputation:	low
URL:	https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="UTF-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title>Captcha</title>. <style>. body {. font-family: 'Arial', sans-serif;. background-color: #f1f1f1; /* Soft gray background /. margin: 0;. padding: 0;. display: flex;. justify-content: center;. align-items: center;. height: 100vh;. }.. .container {. background-color: #fff;. border-radius: 8px;. box-shadow: 0 4px 12px rgba(0, 0, 0, 0.1);. padding: 40px;. max-width: 420px;. width: 100%;. text-align: center;. }.. h2 {. color: #e53e3e; / Adobe red color */. font-size: 28px;. margin-bottom: 20px;. font-weight: bold;. }.. .captcha-image {. display: block;. margin: 0

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:HsYn:MYn
MD5:	E32D2D8B1F6EDC77AC6FAE4CF8A026C1
SHA1:	403E3983475A9D6F51A9837F0A4C68B24A9DFF19
SHA-256:	A5A7A3C76E23C5C39E8F85611F4079E1863ADE6AA0CFE78AFD8FB50DC3E4043F
SHA-512:	44EC405D1CDA3123F25BEBD4D425FF8EAB682328AD762AB6F2AC44D6CA08E6742103C3533E5129C024AADD4E079721FA75F35053CB78C874188135F86C5A2414
Malicious:	false
Reputation:	low
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAkpTTREHWQ-1xIFDXVfuUE=?alt=proto
Preview:	CgkKBw11X7lBGgA=

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 06:36:56.048002958 CET	49675	443	192.168.2.4	173.222.162.32
Jan 16, 2025 06:37:00.899962902 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:00.900005102 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:00.900065899 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:00.900316000 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:00.900326967 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:01.542231083 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:01.542506933 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:01.542515993 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:01.544164896 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:01.544222116 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:01.545634031 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:01.545722008 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:01.593334913 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:01.593343019 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:01.640217066 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:02.873260975 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:02.873359919 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:02.873440981 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:02.873579979 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:02.873616934 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:02.873675108 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:02.873819113 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:02.873848915 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:02.874078035 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:02.874089956 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.340219975 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.340603113 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.340626955 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.341550112 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.341603994 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.345319033 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.373897076 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.374087095 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.374221087 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.374268055 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.374983072 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.374998093 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.375474930 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.375536919 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.376106024 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.376190901 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.422849894 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.422849894 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.422873974 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.469801903 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.515059948 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.515106916 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.515136957 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.515165091 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.515192986 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.515208006 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.515233994 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.515275002 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.528858900 CET	49740	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.528878927 CET	443	49740	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.586453915 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.631334066 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.713753939 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.713879108 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:03.713954926 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.720999002 CET	49739	443	192.168.2.4	64.29.17.129
Jan 16, 2025 06:37:03.721054077 CET	443	49739	64.29.17.129	192.168.2.4
Jan 16, 2025 06:37:11.435724020 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:11.435877085 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:37:11.436058998 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:11.861874104 CET	49737	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:37:11.861896992 CET	443	49737	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:00.957087040 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:00.957176924 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:00.957282066 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:00.957524061 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:00.957560062 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:01.591993093 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:01.592730045 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:01.592758894 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:01.593852043 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:01.594500065 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:01.594585896 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:01.641077995 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:11.492881060 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:11.493052006 CET	443	49842	216.58.212.164	192.168.2.4
Jan 16, 2025 06:38:11.493241072 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:12.131052017 CET	49842	443	192.168.2.4	216.58.212.164
Jan 16, 2025 06:38:12.131119967 CET	443	49842	216.58.212.164	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 06:36:57.066739082 CET	53	58537	1.1.1.1	192.168.2.4
Jan 16, 2025 06:36:57.161299944 CET	53	57640	1.1.1.1	192.168.2.4
Jan 16, 2025 06:36:58.124696016 CET	53	62051	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:00.892103910 CET	51264	53	192.168.2.4	1.1.1.1
Jan 16, 2025 06:37:00.892366886 CET	51774	53	192.168.2.4	1.1.1.1
Jan 16, 2025 06:37:00.898999929 CET	53	51264	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:00.899023056 CET	53	51774	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:02.850569010 CET	61469	53	192.168.2.4	1.1.1.1
Jan 16, 2025 06:37:02.850707054 CET	62850	53	192.168.2.4	1.1.1.1
Jan 16, 2025 06:37:02.864129066 CET	53	61469	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:02.872678041 CET	53	62850	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:03.578332901 CET	53	61536	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:10.459120989 CET	138	138	192.168.2.4	192.168.2.255
Jan 16, 2025 06:37:15.071583033 CET	53	64303	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:34.167351961 CET	53	54218	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:56.762607098 CET	53	62082	1.1.1.1	192.168.2.4
Jan 16, 2025 06:37:57.149216890 CET	53	49694	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-16 05:37:03 UTC	699	OUT	GET /?web=org.hel-kr-10000103@hdel.co.kr HTTP/1.1 Host: glidepromo.vercel.app Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 05:37:03 UTC	591	IN	HTTP/1.1 200 OK Age: 0 Cache-Control: public, max-age=0, must-revalidate Content-Length: 5690 Content-Type: text/html; charset=utf-8 Date: Thu, 16 Jan 2025 05:37:03 GMT Server: Vercel Set-Cookie: session=.eJxNzEEKgCAQheG7zLpEG01r1U1CVDLKDHMX3b1ZRW_58fNucPasLtrZZR9ghE6jhObTuiZSoVFzrkyHTPbK4CAaCMke1OeysBj2diut4DTBcYo-7MxlthV6Wo-Lsh89L9qaIk0.Z4ia_w.JlvKR30teMFIenj38UnmjAiCrwM; HttpOnly; Path=/ Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Vary: Cookie X-Vercel-Cache: MISS X-Vercel-Id: iad1::iad1::554kd-1737005823437-c1caad34dbd4 Connection: close
2025-01-16 05:37:03 UTC	2372	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 61 70 74 63 68 61 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 41 72 69 61 6c 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Captcha</title> <style> body { font-family: 'Arial', sans-serif; b
2025-01-16 05:37:03 UTC	3318	IN	Data Raw: 20 43 6f 64 65 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 44 69 73 70 6c 61 79 20 43 41 50 54 43 48 41 20 69 6d 61 67 65 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 63 61 70 74 63 68 61 2d 69 6d 61 67 65 22 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 4a 59 41 41 41 41 38 43 41 49 41 41 41 41 4c 35 4e 51 39 41 41 41 49 56 6b 6c 45 51 56 52 34 6e 4f 32 63 65 31 41 56 56 52 7a 48 66 35 65 58 4b 43 6d 50 42 73 51 30 4d 55 44 51 45 56 45 6a 49 61 67 63 48 44 42 66 6f 78 4a 71 55 35 72 6a 41 2f 4f 4a 51 65 58 62 79 72 45 30 44 63 58 42 46 34 52 35 66 61 50 4f 45 4b 6d 6b 67 71 48 68 43 78 32 52 6c 30 Data Ascii: Code</h2> ... Display CAPTCHA image --> <img class="captcha-image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJYAAAA8CAIAAAAL5NQ9AAAIVklEQVR4nO2ce1AVVRzHf5eXKCmPBsQ0MUDQEVEjIagcHDBfoxJqU5rjA/OJQeXbyrE0DcXBF4R5faPOEKmkgqHhCx2Rl0

Timestamp	Bytes transferred	Direction	Data
2025-01-16 05:37:03 UTC	822	OUT	GET /favicon.ico HTTP/1.1 Host: glidepromo.vercel.app Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: session=.eJxNzEEKgCAQheG7zLpEG01r1U1CVDLKDHMX3b1ZRW_58fNucPasLtrZZR9ghE6jhObTuiZSoVFzrkyHTPbK4CAaCMke1OeysBj2diut4DTBcYo-7MxlthV6Wo-Lsh89L9qaIk0.Z4ia_w.JlvKR30teMFIenj38UnmjAiCrwM
2025-01-16 05:37:03 UTC	372	IN	HTTP/1.1 404 Not Found Age: 0 Cache-Control: public, max-age=0, must-revalidate Content-Length: 207 Content-Type: text/html; charset=utf-8 Date: Thu, 16 Jan 2025 05:37:03 GMT Server: Vercel Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Vercel-Cache: MISS X-Vercel-Id: iad1::iad1::ffmrc-1737005823642-c05257fcfaf0 Connection: close
2025-01-16 05:37:03 UTC	207	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Target ID:	0
Start time:	00:36:52
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	00:36:54
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2144,i,11466582671800459223,11533410433076010016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	00:37:01
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 42

Chrome Cache Entry: 43

Chrome Cache Entry: 44

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 4924, Parent PID: 4584

General

Chronological Activities

Analysis Process: chrome.exePID: 4444, Parent PID: 4924

General

Chronological Activities

Analysis Process: chrome.exePID: 6520, Parent PID: 4584

General

Chronological Activities

Disassembly

Windows Analysis Report
https://glidepromo.vercel.app/?web=org.hel-kr-10000103@hdel.co.kr

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre