Edit tour

Windows Analysis Report
http://links.news.privateinternetaccess.com

Overview

General Information

Sample URL:	http://links.news.privateinternetaccess.com
Analysis ID:	1426716
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=2004,i,10016512260190257844,12287985651076443221,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6416 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://links.news.privateinternetaccess.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: http://links.news.privateinternetaccess.com/

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.189.216
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Content-Encoding: gzipVary: Accept-EncodingSet-Cookie: TEMP_DATA=d1b73f98-64ec-44d4-9972-5f21467405a2; path=/Date: Tue, 16 Apr 2024 12:17:37 GMTContent-Length: 678Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e ff ae 4f bf 3c 79 f3 fb bc 3c 4d e7 ed a2 4c 5f 7e f5 e4 f9 d9 49 fa d1 f6 dd bb df bd 77 72 f7 ee d3 37 4f d3 df fb db 6f be 78 9e ee 8e 77 d2 37 75 b6 6c 8a b6 a8 96 59 79 f7 ee e9 8b 8f d2 8f e6 6d bb 7a 74 f7 ee d5 d5 d5 f8 ea de b8 aa 2f ee be 79 75 f7 1d 60 ed e2 65 fd 75 bb f5 de 1c cf da d9 47 47 bf 71 f2 18 5f a5 ef 16 e5 b2 f9 2c 02 67 f7 e1 c3 87 f2 fa 47 29 b7 ce b3 19 fd fc b1 c7 6d d1 96 39 fd 96 d2 f3 ac aa d3 66 3d 69 a6 75 31 c9 6b 6a 75 d7 7c fb 63 8f 17 79 9b a5 cb 6c 91 7f f6 51 5d 4d aa b6 f9 28 9d 56 cb 36 5f b6 9f 7d b4 ac 8a e5 2c 7f 37 5a 56 e7 55 59 56 57 1f a5 77 bb ef 5c 54 d5 45 99 07 ef f0 28 ca ac a5 4f d1 fc f1 5d c5 e9 f1 a4 9a 5d d3 cf 1f 7b 3c 2b 2e f1 f3 c7 e8 b3 b2 58 be 4d e7 75 7e fe d9 47 77 9b f6 ba cc 9b bb 79 5d 57 f5 ef 71 f9 d9 d3 ac c9 9b cb ed 2f 9b c5 f1 f3 df bb 7c 70 f1 13 5f be 3a fb bd 2f 26 c7 cf ef b7 5f ee 4e a6 d9 ab ef 1e 2f 5e dd ff fc f7 df 29 4e 77 3f 4a eb bc fc ec 23 81 30 cf f3 f6 23 74 8d ff d0 59 3a 2d b3 86 c8 77 fa 7a fb 65 76 91 6f 7f 9b 10 ca eb 8f 52 6e fe d9 47 8b ac be 28 96 db 6d b5 7a 94 de df 59 bd 3b 04 dd 7f ec f1 7c ef e8 f7 a9 d6 e9 3c bb cc 09 7a 36 9d e7 b3 b4 9d e7 29 a3 dc e4 f5 65 5e 8f 69 70 7b a6 f1 d9 79 7a 6d da 67 cb eb f4 17 ad f3 06 73 d9 a4 17 55 3a c9 a6 6f d3 b6 42 8b 3a cd 17 59 51 52 9b 19 c1 5d 95 d7 0e ca 0a 58 ff 18 41 bb 67 a0 9d e7 79 89 5f 7e e1 8f df 7b 78 48 80 eb 7c 9a 17 97 84 49 96 2e f2 a6 a1 d1 a4 e7 75 b5 48 01 56 70 6a d2 ab a2 9d 57 eb 16 af d1 64 af f2 7a 51 34 0d 21 32 4a 57 65 4e 44 4d cf ab fa 2a ab 67 69 d1 02 a5 6c b2 6e f2 df 33 7f 47 0d db 26 a7 09 af c7 d3 6a 41 38 dd 23 64 1e df 25 fa d1 cf 1f 33 bf 3c be ab d3 48 0d 88 eb 8e fe 1f 91 26 54 37 1b 03 00 00 Data Ascii: `I%&/m{JJt`$@iG#)eVe]f@{{;N'?\fdlJ!?~\|?"O<y<ML_~Iwr7Ooxw7ulYymzt/yu`euGGq_,gG)m9f=iu1kju\|cylQ]M(V6_},7ZVUYVWw\TE(O]]{<+.XMu~Gwy]Wq/\|p_:/&_N/^)Nw?J#0#tY:-wzevoRnG(mzY;\|<z6)e^ip{yzmgsU:oB:YQR]XAgy_~{xH\|I.uHVpjWdzQ4!2JWeNDMgiln3G&jA8#d%3<H&T7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKCache-Control: publicContent-Type: text/css; charset=utf-8Content-Encoding: gzipExpires: Wed, 16 Apr 2025 12:17:38 GMTLast-Modified: Tue, 16 Apr 2024 12:17:38 GMTVary: User-Agent,Accept-EncodingDate: Tue, 16 Apr 2024 12:17:38 GMTContent-Length: 495Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 26 d5 ec fa 17 9f 57 cb 76 fb 3c 5b 14 e5 f5 a3 e3 ba c8 ca 43 fe a4 29 7e 90 3f da dd 5b bd 3b 5c 64 f5 45 b1 7c b4 73 b8 ca 66 b3 62 79 f1 68 e7 97 9c 57 f5 e2 17 47 3e ff f1 d3 d7 db 5f 64 c5 72 fb 24 5f b6 79 9d cf 7e f1 55 31 6b e7 8f 3e dd d9 71 80 b2 75 5b 99 77 b6 db 6a f5 e8 3e be 34 1f 4c aa b6 ad 16 8f 1e e2 b3 49 36 7d 7b 51 57 eb e5 6c 7b 55 35 45 5b 54 cb 47 75 71 31 6f 53 69 e5 37 a8 f3 55 9e b5 8f 96 95 fe d6 c7 25 2d 16 17 63 fa f0 79 75 51 29 f2 db 65 7e de 3e da 45 5f fa 81 00 e6 8f 1c 84 27 d5 bb 5f 3c a9 ea 59 5e 3f 6a aa b2 98 a5 bb ab 77 e9 8f 4f cf f1 df a1 8c 70 ff 80 de 30 83 e0 d7 cd 1f 06 e4 de 7d 02 39 2b 2e 81 c2 97 ab 6c 5a b4 d7 0f ee ff 62 6f 04 c5 22 bb c8 1f ad eb 72 eb e3 bb 27 34 05 84 f6 dd b3 c5 c5 dd ca 34 1e af 96 17 1f df f1 07 6d a9 82 71 a4 44 4b ff 4b a1 c3 23 f9 61 7a 7e 49 7d 6c 7f 3b cf 68 2c e9 7c ef 17 4f ab b2 aa 1f fd f8 a7 9f 7e ea cd fa 1e b0 17 7a d0 ec ce 73 50 9c d1 3f ac 2e f3 fa bc ac ae 1e cd 8b d9 2c 5f 1e b6 f9 bb 76 3b 2b 8b 8b e5 a3 29 a1 9b d7 fa 1a 4f 2b 88 10 ed f6 9e e9 f6 e1 c3 87 5e b7 cc 6c fc e7 95 74 b9 24 2e 23 76 14 90 84 49 af b7 5f f2 ff 00 1a df 99 f0 c1 02 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~\|?"&Wv<[C)~?[;\dE\|sfbyhWG>_dr$_y~U1k>qu[wj>4LI6}{QWl{U5E[TGuq1oSi7U%-cyuQ)e~>E_'_<Y^?jwOp0}9+.lZbo"r'44mqDKK#az~I}l;h,\|O~zsP?.,_v;+)O+^lt$.#vI_

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: links.news.privateinternetaccess.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /styles/error?v=Dasesv-OsmALXl7gQORIXgbAL5tO1bcaRWAmR5G_0iE1 HTTP/1.1Host: links.news.privateinternetaccess.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://links.news.privateinternetaccess.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: TEMP_DATA=d1b73f98-64ec-44d4-9972-5f21467405a2
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: links.news.privateinternetaccess.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://links.news.privateinternetaccess.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: TEMP_DATA=d1b73f98-64ec-44d4-9972-5f21467405a2

Source: unknown

DNS traffic detected: queries for: links.news.privateinternetaccess.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Date: Tue, 16 Apr 2024 12:17:38 GMTContent-Length: 1432Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 20 69 64 3d 22 48 65 61 64 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 20 20 20 20 45 78 70 65 72 74 53 65 6e 64 65 72 20 3a 20 45 72 72 6f 72 20 34 30 34 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 74 72 61 6e 73 6c 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 48 6f 6d 65 2f 46 61 76 69 63 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 48 6f 6d 65 2f 46 61 76 69 63 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 65 72 72 6f 72 3f 76 3d 44 61 73 65 73 76 2d 4f 73 6d 41 4c 58 6c 37 67 51 4f 52 49 58 67 62 41 4c 35 74 4f 31 62 63 61 52 57 41 6d 52 35 47 5f 30 69 45 31 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 2f 3e 0d 0a 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 6d 61 69 6e 73 74 79 6c 65 73 3f 76 3d 41 57 76 45 37 4b 75 38 2d 2d 64 6a 48 46 61 39 6d 6e 30 4e 64 55 62 4d 39 6f 55 52 36 37 45 32 55 4a 66 45 50 37 55 32 79 65 4d 31 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 2f 3e 0d 0a 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 43 6f 6e 74 65 6e 74 2f 70 72 65 66 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 32 2e 32 2e 33 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72

Source: chromecache_42.2.dr	String found in binary or memory: http://ajax.aspnetcdn.com/ajax/jquery.validate/1.14.0/jquery.validate.js
Source: chromecache_42.2.dr	String found in binary or memory: https://code.jquery.com/jquery-2.2.3.min.js
Source: chromecache_42.2.dr	String found in binary or memory: https://code.jquery.com/jquery-migrate-1.2.1.min.js

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443

Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.189.216:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@16/6@4/4

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=2004,i,10016512260190257844,12287985651076443221,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://links.news.privateinternetaccess.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=2004,i,10016512260190257844,12287985651076443221,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://links.news.privateinternetaccess.com	1%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
click-s6-other.esv2.com	80.209.249.242	true	false	high
www.google.com	74.125.136.106	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
links.news.privateinternetaccess.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://links.news.privateinternetaccess.com/favicon.ico	false	high
http://links.news.privateinternetaccess.com/	false	high
http://links.news.privateinternetaccess.com/styles/error?v=Dasesv-OsmALXl7gQORIXgbAL5tO1bcaRWAmR5G_0iE1	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://code.jquery.com/jquery-2.2.3.min.js	chromecache_42.2.dr	false	high
https://code.jquery.com/jquery-migrate-1.2.1.min.js	chromecache_42.2.dr	false	high
http://ajax.aspnetcdn.com/ajax/jquery.validate/1.14.0/jquery.validate.js	chromecache_42.2.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
80.209.249.242	click-s6-other.esv2.com	Poland	47544	IQPL-ASPL	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
74.125.136.106	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426716
Start date and time:	2024-04-16 14:16:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://links.news.privateinternetaccess.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@16/6@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 64.233.177.94, 172.217.215.113, 172.217.215.100, 172.217.215.138, 172.217.215.139, 172.217.215.102, 172.217.215.101, 108.177.122.84, 34.104.35.123, 20.114.59.183, 72.21.81.240, 192.229.211.108, 20.166.126.56, 64.233.185.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 795
Category:	downloaded
Size (bytes):	678
Entropy (8bit):	7.482093755885982
Encrypted:	false
SSDEEP:	12:XeolYushnKsWfZnikzVSn6e3PWnIzN5kYE3TlcV457IwklzrhfXJXD6Vve7:XaushnKsinidn6cuIB5kz3TkwklzVfX/
MD5:	66D812A6C69D06FB3B490BA0C3AEC51E
SHA1:	573F4DCDB28CCBBEAC50BB67E9F4AF04BD44962B
SHA-256:	6E6DC6B7ABBB201784F9CBA590CA4687F2C9C5AECF9430B24B835D22ED781F1B
SHA-512:	0152303F7CDC46496DE860EA83825BBA3B089E3DB4866D257F1A1801818A8603557BEF27D54C1BD013101EA9799C16A0D0576EF16276D5AB6BDF96A0FF587278
Malicious:	false
Reputation:	low
URL:	http://links.news.privateinternetaccess.com/
Preview:	............`.I.%&/m.{.J.J..t...`.$.@........iG#)...eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~\|.?"...O.<y...<M..L_~....I.....wr...7O....o.x..w.7u.l....Yy.....m.zt........./.yu..`..e.u.......GG.q.._.....,.g.....G).......m.9.....f=i.u1.kju.\|.c..y...l...Q]M...(.V.6_..}....,.7ZV.UYVW..w..\T.E....(..O...]...]...{<+.....X.M.u~..Gw.....y]W..q....../.....\|p.._.:../&..._.N..../^.....)Nw?J...#.0...#t...Y:-...w.z.ev.o.....Rn..G...(..m.z...Y.;.....\|......<...z6....)....e^.ip{...yzm.g.......s..U:.o.B.:..YQR...].....X..A.g...y._~..{xH..\|....I.....u.H.Vpj...W....d..zQ4.!2JWeNDM...gi...l.n..3.G..&.....jA8.#d..%....3.<...H......&T7....

Chrome Cache Entry: 42

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1432
Entropy (8bit):	5.276406027412679
Encrypted:	false
SSDEEP:	24:hM0mIAvy4WYeGFdsfHMpuI9iaLlWNVMzlfPNVMzWKjQsJVM4hLHqdjk:lmIAq1YNdispb9dZnxEiswWLKpk
MD5:	2A2BB55FB649B9CE37F5418CA54ED21F
SHA1:	8CF0C470519330A7799A3DFD2C2175542DD05617
SHA-256:	B87D3F780B68AB568280D84481462F273CCC8F8FB560F840EF8EBCF248767034
SHA-512:	5E198D012DFC14B899BCBA39F3514A4017514DCD8532DA196839619200EE669E0DF65FA468E7040393DCB2A20C313DB3182DFFDE25FABF36F69A46DB4B834C24
Malicious:	false
Reputation:	low
URL:	http://links.news.privateinternetaccess.com/favicon.ico
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head id="Head1">.. <title>.. ExpertSender : Error 404..</title>.. <meta name="google" content="notranslate" />.. <meta name="robots" content="noindex,nofollow" />.. <link rel="icon" href="/Home/Favicon" />.. <link rel="shortcut icon" href="/Home/Favicon" />.. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />.. .. <link href="/styles/error?v=Dasesv-OsmALXl7gQORIXgbAL5tO1bcaRWAmR5G_0iE1" rel="stylesheet"/>.... <link href="/styles/mainstyles?v=AWvE7Ku8--djHFa9mn0NdUbM9oUR67E2UJfEP7U2yeM1" rel="stylesheet"/>.... .. <link rel="stylesheet" href="/Content/pref.min.css" />.... .. <script type="text/javascript" src="https://code.jquery.com/jquery-2.2.3.min.js"></script>.. <script type="text/javascript" src="https://code.jquery.com/jquery-migrate-1.2.1.min.js"></script>.. <s

Chrome Cache Entry: 43

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 705
Category:	downloaded
Size (bytes):	495
Entropy (8bit):	7.44862825374762
Encrypted:	false
SSDEEP:	12:XeolYushnKsWHUAmo6Itgm987yGK/KGEcp2oyhvt1+rFzvV0fhz5:XaushnKsGUXo6ItgZeKGXp2XgFz90fZ5
MD5:	E65599D7C119186E5E5C353B085DA53C
SHA1:	C113E8738E1FEFFCCB913FAF4D1C912C8815874D
SHA-256:	1396AC46AFC04198220958CEFA47FB4954FC8E3C538F4EB2812BCB26B1EB1D33
SHA-512:	B40B148EF22946F7C411C95D061F580A0085E3713150D004F138A244B4261CD88E847B8A7127BFF23037705821EDF1485B75FD2B96E820187C1448305B0E64B9
Malicious:	false
Reputation:	low
URL:	http://links.news.privateinternetaccess.com/styles/error?v=Dasesv-OsmALXl7gQORIXgbAL5tO1bcaRWAmR5G_0iE1
Preview:	............`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~\|.?"&.....W.v.<[.......C..)~.?..[.;\d.E.\|.s..f.by.h.W...G>....._d.r.$_.y..~.U1k.>..q..u[.w..j..>.4.L.......I6}{QW..l{U5E[T.Guq1oSi.7..U........%-..c..yuQ)..e~.>.E_......'._<..Y^?j......w.O....p...0........}.9+....lZ.....bo..".....r..'4........4........m..q.DK.K..#.az~I}l.;.h,.\|..O........~......z...sP..?..........,_....v;+...).....O+.........^..l..t.$.#v...I.._..........

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 14:17:27.312711000 CEST	49678	443	192.168.2.4	104.46.162.224
Apr 16, 2024 14:17:28.531398058 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 16, 2024 14:17:37.533062935 CEST	49735	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:37.533401012 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:37.659224987 CEST	49737	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:37.776236057 CEST	80	49735	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:37.776299000 CEST	80	49736	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:37.776386976 CEST	49735	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:37.776555061 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:37.776628017 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:37.883420944 CEST	80	49737	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:37.883518934 CEST	49737	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:38.029953957 CEST	80	49736	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:38.049693108 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:38.141303062 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 16, 2024 14:17:38.294605970 CEST	80	49736	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:38.341598034 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:38.347959995 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:38.596025944 CEST	80	49736	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:38.596079111 CEST	80	49736	80.209.249.242	192.168.2.4
Apr 16, 2024 14:17:38.596292973 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:17:40.364970922 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.365052938 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.365863085 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.365864038 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.365988016 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.598278046 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.602744102 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.602802992 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.604360104 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.604557037 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.609769106 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.610060930 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.655543089 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.655600071 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:40.702410936 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:40.724899054 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:40.724977016 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:40.727796078 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:40.731914043 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:40.731962919 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:40.952270031 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:40.952696085 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:40.957240105 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:40.957293034 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:40.957777023 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.000133038 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.023165941 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.064194918 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.152916908 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.152980089 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.153196096 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.153196096 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.153768063 CEST	49741	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.153826952 CEST	443	49741	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.191667080 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.191756010 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.191956997 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.192209959 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.192235947 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.406769037 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.406965017 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.408127069 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.408155918 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.408735991 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.409807920 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.456119061 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.614131927 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.614229918 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.614304066 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.616347075 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.616347075 CEST	49742	443	192.168.2.4	23.220.189.216
Apr 16, 2024 14:17:41.616375923 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:41.616400003 CEST	443	49742	23.220.189.216	192.168.2.4
Apr 16, 2024 14:17:50.593890905 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:50.594016075 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:17:50.594330072 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:52.281883955 CEST	49740	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:17:52.281945944 CEST	443	49740	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:22.780930042 CEST	49735	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:18:22.890202999 CEST	49737	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:18:23.023920059 CEST	80	49735	80.209.249.242	192.168.2.4
Apr 16, 2024 14:18:23.113873959 CEST	80	49737	80.209.249.242	192.168.2.4
Apr 16, 2024 14:18:23.608907938 CEST	49736	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:18:23.851814032 CEST	80	49736	80.209.249.242	192.168.2.4
Apr 16, 2024 14:18:38.617000103 CEST	49735	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:18:38.617063999 CEST	49737	80	192.168.2.4	80.209.249.242
Apr 16, 2024 14:18:38.841311932 CEST	80	49737	80.209.249.242	192.168.2.4
Apr 16, 2024 14:18:38.860095978 CEST	80	49735	80.209.249.242	192.168.2.4
Apr 16, 2024 14:18:40.313508034 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:40.313606977 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:40.313680887 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:40.313983917 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:40.314012051 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:40.533648014 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:40.533993006 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:40.534030914 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:40.534801006 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:40.535170078 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:40.535420895 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:40.578232050 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:46.266007900 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 16, 2024 14:18:46.266220093 CEST	49724	80	192.168.2.4	199.232.210.172
Apr 16, 2024 14:18:46.369791985 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 16, 2024 14:18:46.369906902 CEST	80	49724	199.232.210.172	192.168.2.4
Apr 16, 2024 14:18:46.369946003 CEST	80	49724	199.232.210.172	192.168.2.4
Apr 16, 2024 14:18:46.370129108 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 16, 2024 14:18:46.370143890 CEST	49724	80	192.168.2.4	199.232.210.172
Apr 16, 2024 14:18:46.370173931 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 16, 2024 14:18:50.533834934 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:50.533982038 CEST	443	49751	74.125.136.106	192.168.2.4
Apr 16, 2024 14:18:50.534228086 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:52.287130117 CEST	49751	443	192.168.2.4	74.125.136.106
Apr 16, 2024 14:18:52.287198067 CEST	443	49751	74.125.136.106	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 14:17:36.133188963 CEST	53	52186	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:36.153191090 CEST	53	52368	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:36.742109060 CEST	53	50903	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:37.387383938 CEST	58922	53	192.168.2.4	1.1.1.1
Apr 16, 2024 14:17:37.387928963 CEST	61629	53	192.168.2.4	1.1.1.1
Apr 16, 2024 14:17:37.493521929 CEST	53	58922	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:37.557634115 CEST	53	61629	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:40.251416922 CEST	51757	53	192.168.2.4	1.1.1.1
Apr 16, 2024 14:17:40.251534939 CEST	51342	53	192.168.2.4	1.1.1.1
Apr 16, 2024 14:17:40.356627941 CEST	53	51342	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:40.356667995 CEST	53	51757	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:53.745470047 CEST	53	61961	1.1.1.1	192.168.2.4
Apr 16, 2024 14:17:57.849241972 CEST	138	138	192.168.2.4	192.168.2.255
Apr 16, 2024 14:18:12.823884010 CEST	53	53266	1.1.1.1	192.168.2.4
Apr 16, 2024 14:18:35.478800058 CEST	53	58962	1.1.1.1	192.168.2.4
Apr 16, 2024 14:18:35.528136969 CEST	53	63522	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 16, 2024 14:17:37.557876110 CEST	192.168.2.4	1.1.1.1	c262	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 16, 2024 14:17:37.387383938 CEST	192.168.2.4	1.1.1.1	0x7d6b	Standard query (0)	links.news.privateinternetaccess.com	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:37.387928963 CEST	192.168.2.4	1.1.1.1	0x3d35	Standard query (0)	links.news.privateinternetaccess.com	65	IN (0x0001)	false
Apr 16, 2024 14:17:40.251416922 CEST	192.168.2.4	1.1.1.1	0x6275	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:40.251534939 CEST	192.168.2.4	1.1.1.1	0xc35	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 16, 2024 14:17:37.493521929 CEST	1.1.1.1	192.168.2.4	0x7d6b	No error (0)	links.news.privateinternetaccess.com	click-s6-other.esv2.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 14:17:37.493521929 CEST	1.1.1.1	192.168.2.4	0x7d6b	No error (0)	click-s6-other.esv2.com		80.209.249.242	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:37.557634115 CEST	1.1.1.1	192.168.2.4	0x3d35	No error (0)	links.news.privateinternetaccess.com	click-s6-other.esv2.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 14:17:40.356627941 CEST	1.1.1.1	192.168.2.4	0xc35	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 16, 2024 14:17:40.356667995 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	www.google.com		74.125.136.106	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:40.356667995 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	www.google.com		74.125.136.99	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:40.356667995 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	www.google.com		74.125.136.104	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:40.356667995 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	www.google.com		74.125.136.103	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:40.356667995 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	www.google.com		74.125.136.147	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:40.356667995 CEST	1.1.1.1	192.168.2.4	0x6275	No error (0)	www.google.com		74.125.136.105	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:17:51.905241013 CEST	1.1.1.1	192.168.2.4	0x78e4	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 14:17:51.905241013 CEST	1.1.1.1	192.168.2.4	0x78e4	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:18:04.917459965 CEST	1.1.1.1	192.168.2.4	0xa6df	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 14:18:04.917459965 CEST	1.1.1.1	192.168.2.4	0xa6df	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:18:27.888315916 CEST	1.1.1.1	192.168.2.4	0x8c8f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 14:18:27.888315916 CEST	1.1.1.1	192.168.2.4	0x8c8f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 16, 2024 14:18:48.668412924 CEST	1.1.1.1	192.168.2.4	0x2acb	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 16, 2024 14:18:48.668412924 CEST	1.1.1.1	192.168.2.4	0x2acb	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

links.news.privateinternetaccess.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	80.209.249.242	80	4480	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Apr 16, 2024 14:17:37.776628017 CEST	451	OUT	GET / HTTP/1.1 Host: links.news.privateinternetaccess.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Apr 16, 2024 14:17:38.029953957 CEST	934	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Set-Cookie: TEMP_DATA=d1b73f98-64ec-44d4-9972-5f21467405a2; path=/ Date: Tue, 16 Apr 2024 12:17:37 GMT Content-Length: 678 Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e ff ae 4f bf 3c 79 f3 fb bc 3c 4d e7 ed a2 4c 5f 7e f5 e4 f9 d9 49 fa d1 f6 dd bb df bd 77 72 f7 ee d3 37 4f d3 df fb db 6f be 78 9e ee 8e 77 d2 37 75 b6 6c 8a b6 a8 96 59 79 f7 ee e9 8b 8f d2 8f e6 6d bb 7a 74 f7 ee d5 d5 d5 f8 ea de b8 aa 2f ee be 79 75 f7 1d 60 ed e2 65 fd 75 bb f5 de 1c cf da d9 47 47 bf 71 f2 18 5f a5 ef 16 e5 b2 f9 2c 02 67 f7 e1 c3 87 f2 fa 47 29 b7 ce b3 19 fd fc b1 c7 6d d1 96 39 fd 96 d2 f3 ac aa d3 66 3d 69 a6 75 31 c9 6b 6a 75 d7 7c fb 63 8f 17 79 9b a5 cb 6c 91 7f f6 51 5d 4d aa b6 f9 28 9d 56 cb 36 5f b6 9f 7d b4 ac 8a e5 2c 7f 37 5a 56 e7 55 59 56 57 1f a5 77 bb ef 5c 54 d5 45 99 07 ef f0 28 ca ac a5 4f d1 fc f1 5d c5 e9 f1 a4 9a 5d d3 cf 1f 7b 3c 2b 2e f1 f3 c7 e8 b3 b2 58 be 4d e7 75 7e fe d9 47 77 9b f6 ba cc 9b bb 79 5d 57 f5 ef 71 f9 d9 d3 ac c9 9b cb ed 2f 9b c5 f1 f3 df bb 7c 70 f1 13 5f be 3a fb bd 2f 26 c7 cf ef b7 5f ee 4e a6 d9 ab ef 1e 2f 5e dd ff fc f7 df 29 4e 77 3f 4a eb bc fc ec 23 81 30 cf f3 f6 23 74 8d ff d0 59 3a 2d b3 86 c8 77 fa 7a fb 65 76 91 6f 7f 9b 10 ca eb 8f 52 6e fe d9 47 8b ac be 28 96 db 6d b5 7a 94 de df 59 bd 3b 04 dd 7f ec f1 7c ef e8 f7 a9 d6 e9 3c bb cc 09 7a 36 9d e7 b3 b4 9d e7 29 a3 dc e4 f5 65 5e 8f 69 70 7b a6 f1 d9 79 7a 6d da 67 cb eb f4 17 ad f3 06 73 d9 a4 17 55 3a c9 a6 6f d3 b6 42 8b 3a cd 17 59 51 52 9b 19 c1 5d 95 d7 0e ca 0a 58 ff 18 41 bb 67 a0 9d e7 79 89 5f 7e e1 8f df 7b 78 48 80 eb 7c 9a 17 97 84 49 96 2e f2 a6 a1 d1 a4 e7 75 b5 48 01 56 70 6a d2 ab a2 9d 57 eb 16 af d1 64 af f2 7a 51 34 0d 21 32 4a 57 65 4e 44 4d cf ab fa 2a ab 67 69 d1 02 a5 6c b2 6e f2 df 33 7f 47 0d db 26 a7 09 af c7 d3 6a 41 38 dd 23 64 1e df 25 fa d1 cf 1f 33 bf 3c be ab d3 48 0d 88 eb 8e fe 1f 91 26 54 37 1b 03 00 00 Data Ascii: `I%&/m{JJt`$@iG#)eVe]f@{{;N'?\fdlJ!?~\|?"O<y<ML_~Iwr7Ooxw7ulYymzt/yu`euGGq_,gG)m9f=iu1kju\|cylQ]M(V6_},7ZVUYVWw\TE(O]]{<+.XMu~Gwy]Wq/\|p_:/&_N/^)Nw?J#0#tY:-wzevoRnG(mzY;\|<z6)e^ip{yzmgsU:oB:YQR]XAgy_~{xH\|I.uHVpjWdzQ4!2JWeNDMgiln3G&jA8#d%3<H&T7
Apr 16, 2024 14:17:38.049693108 CEST	474	OUT	GET /styles/error?v=Dasesv-OsmALXl7gQORIXgbAL5tO1bcaRWAmR5G_0iE1 HTTP/1.1 Host: links.news.privateinternetaccess.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/css,/;q=0.1 Referer: http://links.news.privateinternetaccess.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: TEMP_DATA=d1b73f98-64ec-44d4-9972-5f21467405a2
Apr 16, 2024 14:17:38.294605970 CEST	778	IN	HTTP/1.1 200 OK Cache-Control: public Content-Type: text/css; charset=utf-8 Content-Encoding: gzip Expires: Wed, 16 Apr 2025 12:17:38 GMT Last-Modified: Tue, 16 Apr 2024 12:17:38 GMT Vary: User-Agent,Accept-Encoding Date: Tue, 16 Apr 2024 12:17:38 GMT Content-Length: 495 Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 26 d5 ec fa 17 9f 57 cb 76 fb 3c 5b 14 e5 f5 a3 e3 ba c8 ca 43 fe a4 29 7e 90 3f da dd 5b bd 3b 5c 64 f5 45 b1 7c b4 73 b8 ca 66 b3 62 79 f1 68 e7 97 9c 57 f5 e2 17 47 3e ff f1 d3 d7 db 5f 64 c5 72 fb 24 5f b6 79 9d cf 7e f1 55 31 6b e7 8f 3e dd d9 71 80 b2 75 5b 99 77 b6 db 6a f5 e8 3e be 34 1f 4c aa b6 ad 16 8f 1e e2 b3 49 36 7d 7b 51 57 eb e5 6c 7b 55 35 45 5b 54 cb 47 75 71 31 6f 53 69 e5 37 a8 f3 55 9e b5 8f 96 95 fe d6 c7 25 2d 16 17 63 fa f0 79 75 51 29 f2 db 65 7e de 3e da 45 5f fa 81 00 e6 8f 1c 84 27 d5 bb 5f 3c a9 ea 59 5e 3f 6a aa b2 98 a5 bb ab 77 e9 8f 4f cf f1 df a1 8c 70 ff 80 de 30 83 e0 d7 cd 1f 06 e4 de 7d 02 39 2b 2e 81 c2 97 ab 6c 5a b4 d7 0f ee ff 62 6f 04 c5 22 bb c8 1f ad eb 72 eb e3 bb 27 34 05 84 f6 dd b3 c5 c5 dd ca 34 1e af 96 17 1f df f1 07 6d a9 82 71 a4 44 4b ff 4b a1 c3 23 f9 61 7a 7e 49 7d 6c 7f 3b cf 68 2c e9 7c ef 17 4f ab b2 aa 1f fd f8 a7 9f 7e ea cd fa 1e b0 17 7a d0 ec ce 73 50 9c d1 3f ac 2e f3 fa bc ac ae 1e cd 8b d9 2c 5f 1e b6 f9 bb 76 3b 2b 8b 8b e5 a3 29 a1 9b d7 fa 1a 4f 2b 88 10 ed f6 9e e9 f6 e1 c3 87 5e b7 cc 6c fc e7 95 74 b9 24 2e 23 76 14 90 84 49 af b7 5f f2 ff 00 1a df 99 f0 c1 02 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~\|?"&Wv<[C)~?[;\dE\|sfbyhWG>_dr$_y~U1k>qu[wj>4LI6}{QWl{U5E[TGuq1oSi7U%-cyuQ)e~>E_'_<Y^?jwOp0}9+.lZbo"r'44mqDKK#az~I}l;h,\|O~zsP?.,_v;+)O+^lt$.#vI_
Apr 16, 2024 14:17:38.347959995 CEST	472	OUT	GET /favicon.ico HTTP/1.1 Host: links.news.privateinternetaccess.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://links.news.privateinternetaccess.com/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: TEMP_DATA=d1b73f98-64ec-44d4-9972-5f21467405a2
Apr 16, 2024 14:17:38.596025944 CEST	1289	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Tue, 16 Apr 2024 12:17:38 GMT Content-Length: 1432 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 20 69 64 3d 22 48 65 61 64 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 20 20 20 20 45 78 70 65 72 74 53 65 6e 64 65 72 20 3a 20 45 72 72 6f 72 20 34 30 34 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 74 72 61 6e 73 6c 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 48 6f 6d 65 2f 46 61 76 69 63 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 48 6f 6d 65 2f 46 61 76 69 63 6f 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 65 72 72 6f 72 3f 76 3d 44 61 73 65 73 76 2d 4f 73 6d 41 4c 58 6c 37 67 51 4f 52 49 58 67 62 41 4c 35 74 4f 31 62 63 61 52 57 41 6d 52 35 47 5f 30 69 45 31 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 2f 3e 0d 0a 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 6d 61 69 6e 73 74 79 6c 65 73 3f 76 3d 41 57 76 45 37 4b 75 38 2d 2d 64 6a 48 46 61 39 6d 6e 30 4e 64 55 62 4d 39 6f 55 52 36 37 45 32 55 4a 66 45 50 37 55 32 79 65 4d 31 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 2f 3e 0d 0a 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 43 6f 6e 74 65 6e 74 2f 70 72 65 66 2e 6d 69 6e 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 32 2e 32 2e 33 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 6d 69 67 72 61 74 65 2d 31 2e 32 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 61 6a 61 78 2e 61 73 70 6e 65 74 63 64 6e 2e 63 6f 6d 2f 61 6a 61 78 2f 6a 71 75 65 72 79 2e 76 61 6c 69 64 61 74 65 2f 31 2e 31 34 2e 30 2f 6a 71 75 65 72 79 2e 76 61 6c 69 64 61 74 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head id="Head1"> <title> ExpertSender : Error 404</title> <meta name="google" content="notranslate" /> <meta name="robots" content="noindex,nofollow" /> <link rel="icon" href="/Home/Favicon" /> <link rel="shortcut icon" href="/Home/Favicon" /> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <link href="/styles/error?v=Dasesv-OsmALXl7gQORIXgbAL5tO1bcaRWAmR5G_0iE1" rel="stylesheet"/> <link href="/styles/mainstyles?v=AWvE7Ku8--djHFa9mn0NdUbM9oUR67E2UJfEP7U2yeM1" rel="stylesheet"/> <link rel="stylesheet" href="/Content/pref.min.css" /> <script type="text/javascript" src="https://code.jquery.com/jquery-2.2.3.min.js"></script> <script type="text/javascript" src="https://code.jquery.com/jquery-migrate-1.2.1.min.js"></script> <script type="text/javascript" src="http://ajax.aspnetcdn.com/ajax/jquery.validate/1.14.0/jquery.validate.js"></script> </head><bod
Apr 16, 2024 14:17:38.596079111 CEST	292	IN	Data Raw: 79 3e 0d 0a 20 20 20 20 0d 0a 3c 64 69 76 20 69 64 3d 22 45 53 2d 4d 61 69 6e 2d 43 65 6e 74 65 72 65 64 22 3e 0d 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 45 53 2d 4d 61 69 6e 2d 42 6f 78 22 20 63 6c 61 73 73 3d 22 45 53 2d 4f 70 61 63 69 74 79 Data Ascii: y> <div id="ES-Main-Centered"> <div id="ES-Main-Box" class="ES-Opacity75"> <div class="ES-Page-Header"> <h2>Error 404</h2> <h3>Ooops! Sorry, but this link doesn't seem to work.</h3> <
Apr 16, 2024 14:18:23.608907938 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	80.209.249.242	80	4480	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Apr 16, 2024 14:18:22.780930042 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	80.209.249.242	80	4480	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Apr 16, 2024 14:18:22.890202999 CEST	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	23.220.189.216	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:17:41 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-16 12:17:41 UTC	468	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/079C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Cache-Control: public, max-age=153967 Date: Tue, 16 Apr 2024 12:17:41 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	23.220.189.216	443

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:17:41 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-16 12:17:41 UTC	535	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 01uvbYwAAAACkqWtaEMjWQL/4cpisZkorTUVNMzBFREdFMDgxMQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=153967 Date: Tue, 16 Apr 2024 12:17:41 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-16 12:17:41 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Target ID:	0
Start time:	14:17:31
Start date:	16/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:17:33
Start date:	16/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=2004,i,10016512260190257844,12287985651076443221,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:17:36
Start date:	16/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://links.news.privateinternetaccess.com"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://links.news.privateinternetaccess.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 41

Chrome Cache Entry: 42

Chrome Cache Entry: 43

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5580, Parent PID: 1360

General

Chronological Activities

Analysis Process: chrome.exePID: 4480, Parent PID: 5580

General

Chronological Activities

Analysis Process: chrome.exePID: 6416, Parent PID: 1360

General

Chronological Activities

Disassembly

Windows Analysis Report
http://links.news.privateinternetaccess.com