Edit tour

Windows Analysis Report
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg

Overview

General Information

Sample URL:	https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg
Analysis ID:	845260
Infos:

Detection

Score:	20
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses TOR for connection hidding

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5852 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 5252 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1712,i,122453603029788713,16277537180959933779,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 4276 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

cleanup

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: classification engine

Classification label: sus20.troj.win@25/2@6/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1712,i,122453603029788713,16277537180959933779,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1712,i,122453603029788713,16277537180959933779,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Multi-hop Proxy	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	3 Ingress Tool Transfer	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false	high
accounts.google.com	172.217.168.45	true	false	high
www.google.com	142.250.203.100	true	false	high
clients.l.google.com	142.250.203.110	true	false	high
jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in	188.114.96.7	true	true	unknown
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/favicon.ico	false	Avira URL Cloud: safe	unknown
https://a.nel.cloudflare.com/report/v3?s=vrYW%2BqQCcKhHVwQMGrC6VzmOgPFd%2Fb6Xwu%2BxmcYRT%2FgrJCv5nXeSg4hUqQcEMl0HCHLrkpW6%2F2qgH%2FlgmLv3pA%2B1f4l4z0QKOglTMZe5pOvecyw1cmzKqf%2BB0OOxLsjepawkr1ui46pAz90%2FIxKFfelP8Bvhj%2FMtXj61II1BuvkhgY2X%2Fe7uWG5%2BcxyeHwZsrhtGuJQfQDIOECbkPw%3D%3D	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg	false		unknown
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.45	accounts.google.com	United States	15169	GOOGLEUS	false
188.114.96.7	jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in	European Union	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.203.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	845260
Start date and time:	2023-04-12 09:15:51 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus20.troj.win@25/2@6/8
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 142.250.203.99, 34.104.35.123, 172.217.168.67
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 107

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	3.2313522364595744
Encrypted:	false
SSDEEP:	6:qF/kGISyAII0wmE5poXLxWHiHVeWYRAII0wmE5pzlIgLP8IWXAGb:oytTwFpobMHiHVe5tTwFpzlIgr8IWfb
MD5:	3BD1F61F13105CE8A039252A55E1A4A7
SHA1:	9035E636503BF2C475FA774692529BFCD58FE386
SHA-256:	4E96B55066783F7F592FAA438B1C89DD07C4ACB399B50F306BC2BF9EDB11BBC1
SHA-512:	CAC1C5BE4844C3F606F2028977E2BA2721655F8993494A25521B4BC07536977FB4FD86440092762875D0F2291BDD3B3AF3480F56ED9D3AF2872F5C11AE7DABE8
Malicious:	false
Reputation:	low
URL:	https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg
Preview:	<html>. <head><title>503 Service Temporarily Unavailable</title></head>. <body bgcolor="white">. <center><h1>503 Service Temporarily Unavailable</h1></center>. <hr><center>nginx</center>. </body>. </html>

Chrome Cache Entry: 108

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	3.2313522364595744
Encrypted:	false
SSDEEP:	6:qF/kGISyAII0wmE5poXLxWHiHVeWYRAII0wmE5pzlIgLP8IWXAGb:oytTwFpobMHiHVe5tTwFpzlIgr8IWfb
MD5:	3BD1F61F13105CE8A039252A55E1A4A7
SHA1:	9035E636503BF2C475FA774692529BFCD58FE386
SHA-256:	4E96B55066783F7F592FAA438B1C89DD07C4ACB399B50F306BC2BF9EDB11BBC1
SHA-512:	CAC1C5BE4844C3F606F2028977E2BA2721655F8993494A25521B4BC07536977FB4FD86440092762875D0F2291BDD3B3AF3480F56ED9D3AF2872F5C11AE7DABE8
Malicious:	false
Reputation:	low
URL:	https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/favicon.ico
Preview:	<html>. <head><title>503 Service Temporarily Unavailable</title></head>. <body bgcolor="white">. <center><h1>503 Service Temporarily Unavailable</h1></center>. <hr><center>nginx</center>. </body>. </html>

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2023 09:16:55.873819113 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:55.873899937 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:55.873991966 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:55.874278069 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:55.874375105 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:55.874500990 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:55.875402927 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:55.875458002 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:55.875574112 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:55.875617027 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:55.892375946 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:55.892477036 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:55.892631054 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:55.893372059 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:55.893398046 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.006025076 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.006504059 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.006567955 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.008835077 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.008976936 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.021140099 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.027111053 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.027189970 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.028109074 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.028220892 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.029083967 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.029186964 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.036209106 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.041857004 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:56.041917086 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.044320107 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.044435024 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:56.349483967 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:56.349551916 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.349827051 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.349847078 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:56.349868059 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.350549936 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.350614071 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.351012945 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.351033926 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.351044893 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.351231098 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.351258993 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.351398945 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.351423025 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.351444006 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.387345076 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.387430906 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.387470007 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.387762070 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.387836933 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.388535023 CEST	49698	443	192.168.2.5	142.250.203.110
Apr 12, 2023 09:16:56.388571024 CEST	443	49698	142.250.203.110	192.168.2.5
Apr 12, 2023 09:16:56.430638075 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.430787086 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.430824041 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.430913925 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.430974007 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.442146063 CEST	49699	443	192.168.2.5	172.217.168.45
Apr 12, 2023 09:16:56.442210913 CEST	443	49699	172.217.168.45	192.168.2.5
Apr 12, 2023 09:16:56.453969955 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:56.454014063 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:16:56.650461912 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:16:56.885751009 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:56.885867119 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:56.886003971 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:56.886413097 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:56.886456013 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:56.950701952 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:56.955440044 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:56.955526114 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:56.956988096 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:56.957114935 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:57.004198074 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:57.004265070 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:57.004558086 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:57.076011896 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:16:57.076086998 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:16:57.176042080 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:06.926302910 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:06.926465988 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:06.926569939 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:11.103641987 CEST	49702	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:11.103702068 CEST	443	49702	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:27.074176073 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.074347019 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.074436903 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.127355099 CEST	49700	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.127469063 CEST	443	49700	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.249478102 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.249532938 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.249614954 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.250046015 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.250065088 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.305721998 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.310435057 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.310468912 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.312027931 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.312210083 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.316381931 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.316406012 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.316556931 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.316564083 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.316622972 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.357253075 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.357292891 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.398263931 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.430306911 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.430356979 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.430452108 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.430741072 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.430757999 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.451361895 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.451524019 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.451600075 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.451739073 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.451761961 CEST	443	49728	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.451780081 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.451812029 CEST	49728	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.452368021 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.452413082 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.452481031 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.452797890 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.452816963 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.479505062 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.479849100 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.479876041 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.480592966 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.481034040 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.481062889 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.481194019 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.481445074 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:27.481458902 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:27.492892981 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.494234085 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.494273901 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.495078087 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.495562077 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.495609999 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.495707035 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.495810032 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.495829105 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.644918919 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.645042896 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:27.645121098 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.645495892 CEST	49732	443	192.168.2.5	35.190.80.1
Apr 12, 2023 09:17:27.645538092 CEST	443	49732	35.190.80.1	192.168.2.5
Apr 12, 2023 09:17:56.965437889 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:56.965498924 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:56.965706110 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:56.966397047 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:56.966423988 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:57.019865036 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:57.020581961 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:57.020616055 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:57.021411896 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:57.022700071 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:57.022736073 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:57.022871017 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:17:57.066729069 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:17:58.492929935 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:58.493088961 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:17:58.493284941 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:58.590009928 CEST	49729	443	192.168.2.5	188.114.96.7
Apr 12, 2023 09:17:58.590048075 CEST	443	49729	188.114.96.7	192.168.2.5
Apr 12, 2023 09:18:07.057744980 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:18:07.057872057 CEST	443	49770	142.250.203.100	192.168.2.5
Apr 12, 2023 09:18:07.058017015 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:18:08.868570089 CEST	49770	443	192.168.2.5	142.250.203.100
Apr 12, 2023 09:18:08.868632078 CEST	443	49770	142.250.203.100	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2023 09:16:55.794353008 CEST	60841	53	192.168.2.5	8.8.8.8
Apr 12, 2023 09:16:55.796190023 CEST	61893	53	192.168.2.5	8.8.8.8
Apr 12, 2023 09:16:55.821486950 CEST	60649	53	192.168.2.5	8.8.8.8
Apr 12, 2023 09:16:55.823734045 CEST	53	60841	8.8.8.8	192.168.2.5
Apr 12, 2023 09:16:55.828542948 CEST	53	61893	8.8.8.8	192.168.2.5
Apr 12, 2023 09:16:55.887197018 CEST	53	60649	8.8.8.8	192.168.2.5
Apr 12, 2023 09:16:56.859541893 CEST	61452	53	192.168.2.5	8.8.8.8
Apr 12, 2023 09:16:56.883227110 CEST	53	61452	8.8.8.8	192.168.2.5
Apr 12, 2023 09:17:27.121407986 CEST	56687	53	192.168.2.5	8.8.8.8
Apr 12, 2023 09:17:27.150101900 CEST	53	56687	8.8.8.8	192.168.2.5
Apr 12, 2023 09:17:56.930730104 CEST	60908	53	192.168.2.5	8.8.8.8
Apr 12, 2023 09:17:56.954560995 CEST	53	60908	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 12, 2023 09:16:55.794353008 CEST	192.168.2.5	8.8.8.8	0xe936	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:55.796190023 CEST	192.168.2.5	8.8.8.8	0x164f	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:55.821486950 CEST	192.168.2.5	8.8.8.8	0x9e94	Standard query (0)	jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:56.859541893 CEST	192.168.2.5	8.8.8.8	0xa7f	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:17:27.121407986 CEST	192.168.2.5	8.8.8.8	0x171f	Standard query (0)	a.nel.cloudflare.com	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:17:56.930730104 CEST	192.168.2.5	8.8.8.8	0x7bc0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 12, 2023 09:16:55.823734045 CEST	8.8.8.8	192.168.2.5	0xe936	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 12, 2023 09:16:55.823734045 CEST	8.8.8.8	192.168.2.5	0xe936	No error (0)	clients.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:55.828542948 CEST	8.8.8.8	192.168.2.5	0x164f	No error (0)	accounts.google.com		172.217.168.45	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:55.887197018 CEST	8.8.8.8	192.168.2.5	0x9e94	No error (0)	jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in		188.114.96.7	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:55.887197018 CEST	8.8.8.8	192.168.2.5	0x9e94	No error (0)	jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in		188.114.97.7	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:16:56.883227110 CEST	8.8.8.8	192.168.2.5	0xa7f	No error (0)	www.google.com		142.250.203.100	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:17:27.150101900 CEST	8.8.8.8	192.168.2.5	0x171f	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false
Apr 12, 2023 09:17:56.954560995 CEST	8.8.8.8	192.168.2.5	0x7bc0	No error (0)	www.google.com		142.250.203.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in

accounts.google.com

clients2.google.com

https:

a.nel.cloudflare.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49700	188.114.96.7	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-12 07:16:56 UTC	0	OUT	GET /new-nn/thumb/1654322753015s.jpg HTTP/1.1 Host: jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-04-12 07:17:27 UTC	5	IN	HTTP/1.1 503 Service Unavailable Date: Wed, 12 Apr 2023 07:17:27 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: BYPASS Set-Cookie: cuid=clgdcz3f02eeb0jlhflo8fxwp; path=/; expires=Sun, 06 Aug 2023 01:03:36 GMT; domain=.torproxy.in; secure; httponly Set-Cookie: lbtp=9; path=/; expires=Wed, 12 Apr 2023 15:16:56 GMT; domain=.torproxy.in; secure; httponly Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vrYW%2BqQCcKhHVwQMGrC6VzmOgPFd%2Fb6Xwu%2BxmcYRT%2FgrJCv5nXeSg4hUqQcEMl0HCHLrkpW6%2F2qgH%2FlgmLv3pA%2B1f4l4z0QKOglTMZe5pOvecyw1cmzKqf%2BB0OOxLsjepawkr1ui46pAz90%2FIxKFfelP8Bvhj%2FMtXj61II1BuvkhgY2X%2Fe7uWG5%2BcxyeHwZsrhtGuJQfQDIOECbkPw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7b69afcc3ea89bc5-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2023-04-12 07:17:27 UTC	6	IN	Data Raw: 31 38 36 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 Data Ascii: 186<html> <head><title>503 Service Temporarily Unavailable</title></head> <body bgcolor="white"> <center><h1>503 Service Temporarily Unavailable</h1></center
2023-04-12 07:17:27 UTC	6	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49699	172.217.168.45	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-12 07:16:56 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-04-12 07:16:56 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-04-12 07:16:56 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 12 Apr 2023 07:16:56 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp" Content-Security-Policy: script-src 'report-sample' 'nonce-dE9a4pKhsg66rxIwez4b4A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]} Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-04-12 07:16:56 UTC	5	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-04-12 07:16:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49698	142.250.203.110	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-12 07:16:56 UTC	1	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-104.0.5112.81 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-04-12 07:16:56 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-Ww8R8TnvC-hd6llKwWsOXA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 12 Apr 2023 07:16:56 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5945 X-Daystart: 1016 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-04-12 07:16:56 UTC	2	IN	Data Raw: 32 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 39 34 35 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 31 30 31 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 Data Ascii: 2c8<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5945" elapsed_seconds="1016"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-04-12 07:16:56 UTC	3	IN	Data Raw: 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 3f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-04-12 07:16:56 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49728	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-12 07:17:27 UTC	6	OUT	OPTIONS /report/v3?s=vrYW%2BqQCcKhHVwQMGrC6VzmOgPFd%2Fb6Xwu%2BxmcYRT%2FgrJCv5nXeSg4hUqQcEMl0HCHLrkpW6%2F2qgH%2FlgmLv3pA%2B1f4l4z0QKOglTMZe5pOvecyw1cmzKqf%2BB0OOxLsjepawkr1ui46pAz90%2FIxKFfelP8Bvhj%2FMtXj61II1BuvkhgY2X%2Fe7uWG5%2BcxyeHwZsrhtGuJQfQDIOECbkPw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-04-12 07:17:27 UTC	7	IN	HTTP/1.1 200 OK content-length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Wed, 12 Apr 2023 07:17:27 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49729	188.114.96.7	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-12 07:17:27 UTC	7	OUT	GET /favicon.ico HTTP/1.1 Host: jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in Connection: keep-alive sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: cuid=clgdcz3f02eeb0jlhflo8fxwp; lbtp=9
2023-04-12 07:17:58 UTC	9	IN	HTTP/1.1 503 Service Unavailable Date: Wed, 12 Apr 2023 07:17:58 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: BYPASS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vDAWlD%2BuXr5h%2BCBIzHPG%2FHLJe5TGItatnpgzf8toWpMfm3lo0y0UH16vH2InIlIx2KQVw0YcjSCxpS0StlJO%2Faw5L0Fr4Xa35PTscCOgiSgUJx0GgKWZCRUddKxmpHgqLJgLiP7MgQ6VYMIqNFzkVF%2BVL0mEB%2BiTWDQluAjsqkxnCdyGRovlCiEKU2SAlIQ351sz3YpmW%2FAFO4dLLg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7b69b08f1e8f3a6e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2023-04-12 07:17:58 UTC	10	IN	Data Raw: 31 38 36 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 Data Ascii: 186<html> <head><title>503 Service Temporarily Unavailable</title></head> <body bgcolor="white"> <center><h1>503 Service Temporarily Unavailable</h1></center
2023-04-12 07:17:58 UTC	10	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49732	35.190.80.1	443	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-12 07:17:27 UTC	8	OUT	POST /report/v3?s=vrYW%2BqQCcKhHVwQMGrC6VzmOgPFd%2Fb6Xwu%2BxmcYRT%2FgrJCv5nXeSg4hUqQcEMl0HCHLrkpW6%2F2qgH%2FlgmLv3pA%2B1f4l4z0QKOglTMZe5pOvecyw1cmzKqf%2BB0OOxLsjepawkr1ui46pAz90%2FIxKFfelP8Bvhj%2FMtXj61II1BuvkhgY2X%2Fe7uWG5%2BcxyeHwZsrhtGuJQfQDIOECbkPw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 476 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-04-12 07:17:27 UTC	8	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 33 31 36 34 36 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 38 38 2e 31 31 34 2e 39 36 2e 37 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 35 30 33 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6a 77 7a 7a 65 76 6e 62 72 6c 65 74 78 78 37 Data Ascii: [{"age":0,"body":{"elapsed_time":31646,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"188.114.96.7","status_code":503,"type":"http.error"},"type":"network-error","url":"https://jwzzevnbrletxx7
2023-04-12 07:17:27 UTC	9	IN	HTTP/1.1 200 OK content-length: 0 date: Wed, 12 Apr 2023 07:17:27 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5852, Parent PID: 4224

General

Target ID:	0
Start time:	09:16:50
Start date:	12/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff7d31b0000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5252, Parent PID: 5852

General

Target ID:	1
Start time:	09:16:51
Start date:	12/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1712,i,122453603029788713,16277537180959933779,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7d31b0000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4276, Parent PID: 4224

General

Target ID:	2
Start time:	09:16:52
Start date:	12/04/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg
Imagebase:	0x7ff7d31b0000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: global traffic	HTTP traffic detected: GET /new-nn/thumb/1654322753015s.jpg HTTP/1.1Host: jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.inConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.inConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpgAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cuid=clgdcz3f02eeb0jlhflo8fxwp; lbtp=9

Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Wed, 12 Apr 2023 07:17:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: BYPASSSet-Cookie: cuid=clgdcz3f02eeb0jlhflo8fxwp; path=/; expires=Sun, 06 Aug 2023 01:03:36 GMT; domain=.torproxy.in; secure; httponlySet-Cookie: lbtp=9; path=/; expires=Wed, 12 Apr 2023 15:16:56 GMT; domain=.torproxy.in; secure; httponlyReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vrYW%2BqQCcKhHVwQMGrC6VzmOgPFd%2Fb6Xwu%2BxmcYRT%2FgrJCv5nXeSg4hUqQcEMl0HCHLrkpW6%2F2qgH%2FlgmLv3pA%2B1f4l4z0QKOglTMZe5pOvecyw1cmzKqf%2BB0OOxLsjepawkr1ui46pAz90%2FIxKFfelP8Bvhj%2FMtXj61II1BuvkhgY2X%2Fe7uWG5%2BcxyeHwZsrhtGuJQfQDIOECbkPw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7b69afcc3ea89bc5-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Wed, 12 Apr 2023 07:17:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: BYPASSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vDAWlD%2BuXr5h%2BCBIzHPG%2FHLJe5TGItatnpgzf8toWpMfm3lo0y0UH16vH2InIlIx2KQVw0YcjSCxpS0StlJO%2Faw5L0Fr4Xa35PTscCOgiSgUJx0GgKWZCRUddKxmpHgqLJgLiP7MgQ6VYMIqNFzkVF%2BVL0mEB%2BiTWDQluAjsqkxnCdyGRovlCiEKU2SAlIQ351sz3YpmW%2FAFO4dLLg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7b69b08f1e8f3a6e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Network protocol analysis
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: chrome.exePID: 5852, Parent PID: 4224

General

Chronological Activities

Analysis Process: chrome.exePID: 5252, Parent PID: 5852

General

Chronological Activities

Analysis Process: chrome.exePID: 4276, Parent PID: 4224

General

Chronological Activities

Disassembly

Windows Analysis Report
https://jwzzevnbrletxx7e4nqmfv73mre7rjik6nktidduppjcei6xr75aybyd.onion.torproxy.in/new-nn/thumb/1654322753015s.jpg