Edit tour

Windows Analysis Report
https://huiyuan-sh.com/

Overview

General Information

Sample URL:	https://huiyuan-sh.com/
Analysis ID:	1428459
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2016,i,16147856606403169602,11218634441725562344,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://huiyuan-sh.com/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on favicon image match)

Source: https://huiyuan-sh.com

Matcher: Template: amazon matched with high similarity

Source: https://huiyuan-sh.com/

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.36.68.63:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.36.68.63:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.68.63
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: huiyuan-sh.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: huiyuan-sh.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://huiyuan-sh.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: huiyuan-sh.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: unknown

DNS traffic detected: queries for: huiyuan-sh.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713479531913&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 18 Apr 2024 22:32:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encoding

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 23.36.68.63:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.36.68.63:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.win@16/11@6/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2016,i,16147856606403169602,11218634441725562344,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://huiyuan-sh.com/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2016,i,16147856606403169602,11218634441725562344,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
huiyuan-sh.com	87.121.112.42	true	false	unknown
www.google.com	74.125.138.106	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://huiyuan-sh.com/	false		unknown
https://huiyuan-sh.com/favicon.ico	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
74.125.138.106	www.google.com	United States	15169	GOOGLEUS	false
87.121.112.42	huiyuan-sh.com	Bulgaria	34224	NETERRA-ASBG	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428459
Start date and time:	2024-04-19 00:31:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://huiyuan-sh.com/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@16/11@6/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.105.94, 64.233.185.84, 108.177.122.138, 108.177.122.102, 108.177.122.100, 108.177.122.113, 108.177.122.139, 108.177.122.101, 34.104.35.123, 20.12.23.50, 72.21.81.240, 199.232.210.172, 192.229.211.108, 52.165.164.15, 20.3.187.198, 142.250.9.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://huiyuan-sh.com/

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 21:32:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.984807465087292
Encrypted:	false
SSDEEP:	48:8FdFTNdBHSidAKZdA19ehwiZUklqehYy+3:8t3GHy
MD5:	EF1FE467F1F5EF69F08B65AA9DAD8081
SHA1:	491E0E150B28689661319C4AA12B441BB59889A8
SHA-256:	1E368266EE35A4E3529DC0E40255A0E8B2637EB91E0BBAACCDC1812D5D174FF3
SHA-512:	0B34F939D0C75346CA80246D90D37C54E1A2640EDA9022CDD6B192AFAB8A108CB15E5454D1649E318FC4D4A51DB3A0033316133CCB85783F69E9ECA59EBE177C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....+..J....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........C........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 21:32:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.000033879411953
Encrypted:	false
SSDEEP:	48:8midFTNdBHSidAKZdA1weh/iZUkAQkqeh3y+2:8h3E9QWy
MD5:	94C4977605D0B59521A0FD9AA6F996FE
SHA1:	E2B958BAA116CE445C46CCC856FD0D9E2659FEAC
SHA-256:	C932EA8CC724A9AF799855FC57C3F4424406140720989AC753E0CA51F3AD898E
SHA-512:	293F2F161753924C93EFCCDB14DBACC6445A62F372412FA58FCC83D16F93049EA891BE40985B7A2418A456234907C67A16F67DEE519435B10E03C57757704EBC
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......J....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........C........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.008458536501715
Encrypted:	false
SSDEEP:	48:8xGdFTNdsHSidAKZdA14tseh7sFiZUkmgqeh7s1y+BX:8x83znDy
MD5:	3AD15241891B148BA768293A2CC34673
SHA1:	BE9ED523384CF7D6757A6C2354A349B6B2C1480E
SHA-256:	4E12D4BFADF98DE4D4CCA78F1C1587475015FD85E34B15AB35F7A151A125F631
SHA-512:	1F8BC92E8473A116C81C4FAB7149A31215EF4E9BD0FB016F1F743BF9D25C5013F911DF9CA7C618CEBC43675CBEAC0CB09DF0FFBECE07FA52FA790B6CBAA9D682
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........C........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 21:32:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9988600752474075
Encrypted:	false
SSDEEP:	48:8vdFTNdBHSidAKZdA1vehDiZUkwqeh7y+R:8L3PNy
MD5:	23F327A6E681BE0111CB8AB87895D79F
SHA1:	EF97D6E1C8AA582931B9684BDC1A80A97421FC89
SHA-256:	73B2622D38A5AA70E54ED0B7E20F22EA516C676937E2A471E2A81D2691AAD031
SHA-512:	753D89FDC2A81346FF3A5A7A8A7EFEC11EA5F263AAE8A5F82E259EDA15C5F0756A93ECC6BC5F37A5D5D2B1A646920B6D45D4B49C14C91659FBCC9140653F5782
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......J....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........C........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 21:32:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9884575515882177
Encrypted:	false
SSDEEP:	48:8JdFTNdBHSidAKZdA1hehBiZUk1W1qehxy+C:8R3v9Ry
MD5:	402232AFAC471F487936595E49FB658D
SHA1:	E301D68FDCE91E23FE92BF1658C8EDC7DE9D41BD
SHA-256:	FC8B780420777865497A9098132D0A5BD3748AB8C6D4F54ED31B06FEA9FCF62A
SHA-512:	2469C10CB79B6D5513A27439F208BA6925AC768A296647C09071FB7DC336C3D7EFDAA540571AAF88BC00142722D803CB16170E3AB44A8C27134786BCA5A8FD5D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....N..J....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........C........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 18 21:32:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.000796277553842
Encrypted:	false
SSDEEP:	48:8idFTNdBHSidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbDy+yT+:8I3nT/TbxWOvTbDy7T
MD5:	B9D533C3CF31437DA3F5CE738E0FA23F
SHA1:	2BE8113D26ADBCCB20CDBA2174F4EB4C5FF48C38
SHA-256:	CEE1DE757221DC45FA14E313F2E217C9D928B93C4073826E239D0521295A7815
SHA-512:	3DF8B1B107EB855932AAA048A90B78694CC1D76F693CAE33D8A180582FFA92646040CA3C5D10F463F466F079E8FDEBE95C54685254DC21CA7FF0EF8257995B76
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......J....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........C........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 4 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	17542
Entropy (8bit):	2.247918084411713
Encrypted:	false
SSDEEP:	192:9dLhJ6/f2dh+xQLeZ10TLwhwOHae6nmErcglsIZS3F:3jaOdhQQu0TLwaOHEr6IZ
MD5:	CA6619B86C2F6E6068B69BA3AADDB7E4
SHA1:	C44A1BB9D14385334EB851FBB0AFB19D961C1EE7
SHA-256:	17D02E2DB6DBEDB95DD449D06868C147AC2C3B5371497BCB9407E75336A99E09
SHA-512:	30F8F8618BFBCD57925411E6860A10B6AD9A60F2A6B08D35C870EA3F4CEC4692596A937FF1457CEFF5847D5DA2B86CEBA0200706625E28C56A2455E6A8C121D3
Malicious:	false
Reputation:	low
Preview:	......00.... ..%..F... .... ......%........ ......6........ .h....@..(...0...`..... ......%.........................................E...................................................................................................................................................?...................................$...........................................................................................................................................................................................B............................................................................r...P..........................................................................................9...............-........................................................r...................................................>......................................................................$..............................................................................................................................

Chrome Cache Entry: 61

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	194
Entropy (8bit):	5.02732657063762
Encrypted:	false
SSDEEP:	3:PIyPhxn0+7JD0bZxgROngsoMHXbZ6iMyF0U96LFa3RsxRNs+GBFK67hXW1Hj:pn0+1Q9xUigsoCX966F0CGxdGzKGSD
MD5:	CBB55BCC4E4C013040B33E22FAAA013D
SHA1:	7995E35B37532EE7ABE715F23225A88A81BEB5D2
SHA-256:	AFCA372F9959CB6C46BDE573D25172C1B223DAC52CBA20FFAD3C8FC2EA09CC8E
SHA-512:	751A6FA05158382C18079BFEB1BD155651C5C0B003AC4A097541FDCC08A1EB3B17E06073A8EC68E9B2F42FE58DE5F8B10CE0E10429FB45535A02352C8A5FFA49
Malicious:	false
Reputation:	low
URL:	https://huiyuan-sh.com/
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You dont have permission to access / on this server.</p></body></html>

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 4 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	17542
Entropy (8bit):	2.247918084411713
Encrypted:	false
SSDEEP:	192:9dLhJ6/f2dh+xQLeZ10TLwhwOHae6nmErcglsIZS3F:3jaOdhQQu0TLwaOHEr6IZ
MD5:	CA6619B86C2F6E6068B69BA3AADDB7E4
SHA1:	C44A1BB9D14385334EB851FBB0AFB19D961C1EE7
SHA-256:	17D02E2DB6DBEDB95DD449D06868C147AC2C3B5371497BCB9407E75336A99E09
SHA-512:	30F8F8618BFBCD57925411E6860A10B6AD9A60F2A6B08D35C870EA3F4CEC4692596A937FF1457CEFF5847D5DA2B86CEBA0200706625E28C56A2455E6A8C121D3
Malicious:	false
Reputation:	low
URL:	https://huiyuan-sh.com/favicon.ico
Preview:	......00.... ..%..F... .... ......%........ ......6........ .h....@..(...0...`..... ......%.........................................E...................................................................................................................................................?...................................$...........................................................................................................................................................................................B............................................................................r...P..........................................................................................9...............-........................................................r...................................................>......................................................................$..............................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 00:32:21.669428110 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:21.669435024 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:21.935008049 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:28.230592966 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.230671883 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.230746984 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.231215954 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.231288910 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.231369019 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.231893063 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.231942892 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.232213020 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.232248068 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.717896938 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.719070911 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.719109058 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.719996929 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.720067978 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.720822096 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.721414089 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.721477032 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.721616030 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.721653938 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.721918106 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.721927881 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.723304033 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.723388910 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.724338055 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.724430084 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.772222996 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.772229910 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:28.772263050 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:28.812375069 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:29.368752003 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:29.368841887 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:29.368911982 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:29.375984907 CEST	49711	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:29.376053095 CEST	443	49711	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:29.585922956 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:29.632119894 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053622961 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053692102 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053715944 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053734064 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053761959 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.053771973 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053792000 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053807020 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.053818941 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053819895 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.053842068 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.053843021 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.053867102 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.053963900 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.054028034 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.054042101 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.054147005 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.054218054 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.057374001 CEST	49710	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.057390928 CEST	443	49710	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.524832964 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.524918079 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.525007010 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.526398897 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:30.526437044 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:30.726902008 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:30.726989985 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:30.727144957 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:30.732814074 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:30.732850075 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:30.855635881 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:30.855726957 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:30.855808020 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:30.871401072 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:30.871440887 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:30.951275110 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:30.951381922 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:30.957271099 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:30.957288980 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:30.957540989 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.009368896 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.010641098 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.011336088 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.011368036 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.014519930 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.014610052 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.015295982 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.015372992 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.015832901 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.015841007 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.056286097 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.082691908 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.099138021 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:31.100229979 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:31.100291014 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:31.101914883 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:31.101991892 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:31.109951019 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:31.110066891 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:31.128122091 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.150106907 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:31.150163889 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:31.195291996 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.195347071 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.195621967 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.195835114 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.195869923 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.195903063 CEST	49715	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.195918083 CEST	443	49715	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.196878910 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:31.234514952 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.234584093 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.234697104 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.235418081 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.235450983 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.447834969 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.447921991 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.452353954 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.452380896 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.452620029 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.456787109 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.504116058 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.540632963 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:31.655775070 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.655846119 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.655961037 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.658392906 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.658432007 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.658466101 CEST	49717	443	192.168.2.5	23.36.68.63
Apr 19, 2024 00:32:31.658480883 CEST	443	49717	23.36.68.63	192.168.2.5
Apr 19, 2024 00:32:31.718735933 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718771935 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718781948 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718799114 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718832970 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718842983 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.718872070 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718902111 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.718908072 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718926907 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.718945026 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.718970060 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.718986034 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:31.719110012 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.724402905 CEST	49714	443	192.168.2.5	87.121.112.42
Apr 19, 2024 00:32:31.724421978 CEST	443	49714	87.121.112.42	192.168.2.5
Apr 19, 2024 00:32:32.965639114 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:32.965769053 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:41.100519896 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:41.100667000 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:41.100862026 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:42.219526052 CEST	49716	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:32:42.219559908 CEST	443	49716	74.125.138.106	192.168.2.5
Apr 19, 2024 00:32:43.459553003 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.459649086 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.459975958 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.460088968 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.460230112 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.460465908 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.460504055 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.614388943 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.614406109 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.784320116 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.784420967 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.961904049 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:43.961961985 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.963032007 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:43.963118076 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:44.054847956 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:44.055154085 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:44.055229902 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:44.055260897 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:44.415765047 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:44.415868044 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:44.416093111 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:44.416166067 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:32:44.416251898 CEST	443	49724	23.1.237.91	192.168.2.5
Apr 19, 2024 00:32:44.416316986 CEST	49724	443	192.168.2.5	23.1.237.91
Apr 19, 2024 00:33:30.222372055 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:30.222404957 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:30.222619057 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:30.223011017 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:30.223046064 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:30.445075035 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:30.449659109 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:30.449717045 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:30.450371981 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:30.454276085 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:30.454488993 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:30.508136988 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:40.490499973 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:40.490719080 CEST	443	49728	74.125.138.106	192.168.2.5
Apr 19, 2024 00:33:40.490819931 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:42.135837078 CEST	49728	443	192.168.2.5	74.125.138.106
Apr 19, 2024 00:33:42.135885954 CEST	443	49728	74.125.138.106	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 00:32:25.926197052 CEST	53	55243	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:26.005239010 CEST	53	55134	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:26.598732948 CEST	53	64296	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:27.797863007 CEST	57804	53	192.168.2.5	1.1.1.1
Apr 19, 2024 00:32:27.797863960 CEST	58456	53	192.168.2.5	1.1.1.1
Apr 19, 2024 00:32:28.175518990 CEST	53	57804	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:30.071774006 CEST	53799	53	192.168.2.5	1.1.1.1
Apr 19, 2024 00:32:30.072208881 CEST	55001	53	192.168.2.5	1.1.1.1
Apr 19, 2024 00:32:30.463253021 CEST	53	53799	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:30.537570000 CEST	53	58456	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:30.731571913 CEST	54038	53	192.168.2.5	1.1.1.1
Apr 19, 2024 00:32:30.731695890 CEST	64537	53	192.168.2.5	1.1.1.1
Apr 19, 2024 00:32:30.838242054 CEST	53	54038	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:30.838787079 CEST	53	64537	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:32.694528103 CEST	53	55001	1.1.1.1	192.168.2.5
Apr 19, 2024 00:32:43.700279951 CEST	53	61901	1.1.1.1	192.168.2.5
Apr 19, 2024 00:33:02.525099039 CEST	53	55847	1.1.1.1	192.168.2.5
Apr 19, 2024 00:33:25.569427967 CEST	53	54299	1.1.1.1	192.168.2.5
Apr 19, 2024 00:33:25.821449041 CEST	53	60566	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 19, 2024 00:32:30.537663937 CEST	192.168.2.5	1.1.1.1	c1e5	(Port unreachable)	Destination Unreachable
Apr 19, 2024 00:32:32.694631100 CEST	192.168.2.5	1.1.1.1	c1e5	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 00:32:27.797863007 CEST	192.168.2.5	1.1.1.1	0xd77c	Standard query (0)	huiyuan-sh.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:27.797863960 CEST	192.168.2.5	1.1.1.1	0xd75e	Standard query (0)	huiyuan-sh.com	65	IN (0x0001)	false
Apr 19, 2024 00:32:30.071774006 CEST	192.168.2.5	1.1.1.1	0xeeff	Standard query (0)	huiyuan-sh.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.072208881 CEST	192.168.2.5	1.1.1.1	0xd711	Standard query (0)	huiyuan-sh.com	65	IN (0x0001)	false
Apr 19, 2024 00:32:30.731571913 CEST	192.168.2.5	1.1.1.1	0xb80f	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.731695890 CEST	192.168.2.5	1.1.1.1	0x877a	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 00:32:28.175518990 CEST	1.1.1.1	192.168.2.5	0xd77c	No error (0)	huiyuan-sh.com		87.121.112.42	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.463253021 CEST	1.1.1.1	192.168.2.5	0xeeff	No error (0)	huiyuan-sh.com		87.121.112.42	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.537570000 CEST	1.1.1.1	192.168.2.5	0xd75e	Server failure (2)	huiyuan-sh.com	none	none	65	IN (0x0001)	false
Apr 19, 2024 00:32:30.838242054 CEST	1.1.1.1	192.168.2.5	0xb80f	No error (0)	www.google.com		74.125.138.106	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.838242054 CEST	1.1.1.1	192.168.2.5	0xb80f	No error (0)	www.google.com		74.125.138.147	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.838242054 CEST	1.1.1.1	192.168.2.5	0xb80f	No error (0)	www.google.com		74.125.138.99	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.838242054 CEST	1.1.1.1	192.168.2.5	0xb80f	No error (0)	www.google.com		74.125.138.105	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.838242054 CEST	1.1.1.1	192.168.2.5	0xb80f	No error (0)	www.google.com		74.125.138.103	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.838242054 CEST	1.1.1.1	192.168.2.5	0xb80f	No error (0)	www.google.com		74.125.138.104	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:30.838787079 CEST	1.1.1.1	192.168.2.5	0x877a	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 19, 2024 00:32:32.694528103 CEST	1.1.1.1	192.168.2.5	0xd711	Server failure (2)	huiyuan-sh.com	none	none	65	IN (0x0001)	false
Apr 19, 2024 00:32:43.211163998 CEST	1.1.1.1	192.168.2.5	0xff75	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 00:32:43.211163998 CEST	1.1.1.1	192.168.2.5	0xff75	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:32:55.994725943 CEST	1.1.1.1	192.168.2.5	0xaf85	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 00:32:55.994725943 CEST	1.1.1.1	192.168.2.5	0xaf85	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:33:17.583322048 CEST	1.1.1.1	192.168.2.5	0x7b37	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 00:33:17.583322048 CEST	1.1.1.1	192.168.2.5	0x7b37	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 19, 2024 00:33:38.631314039 CEST	1.1.1.1	192.168.2.5	0xab89	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 00:33:38.631314039 CEST	1.1.1.1	192.168.2.5	0xab89	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

huiyuan-sh.com

https:

www.bing.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	87.121.112.42	443	5484	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 22:32:28 UTC	657	OUT	GET / HTTP/1.1 Host: huiyuan-sh.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-18 22:32:29 UTC	188	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 18 Apr 2024 22:32:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding
2024-04-18 22:32:29 UTC	205	IN	Data Raw: 63 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 70 3e 59 6f 75 20 64 6f 6e 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: c2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You dont have permission to access / on this server.</p></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	87.121.112.42	443	5484	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 22:32:29 UTC	584	OUT	GET /favicon.ico HTTP/1.1 Host: huiyuan-sh.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://huiyuan-sh.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-18 22:32:30 UTC	277	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 18 Apr 2024 22:32:29 GMT Content-Type: image/x-icon Content-Length: 17542 Last-Modified: Mon, 09 May 2022 09:40:28 GMT Connection: close ETag: "6278e18c-4486" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes
2024-04-18 22:32:30 UTC	16107	IN	Data Raw: 00 00 01 00 04 00 30 30 00 00 01 00 20 00 a8 25 00 00 46 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 ee 25 00 00 18 18 00 00 01 00 20 00 88 09 00 00 96 36 00 00 10 10 00 00 01 00 20 00 68 04 00 00 1e 40 00 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 20 00 00 00 00 00 80 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 45 ff ff ff 99 ff ff ff cc ff ff ff f3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 00 %F % 6 h@(0` %E
2024-04-18 22:32:30 UTC	1435	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 75 ff ff ff 09 ff ff ff c3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff bd ff ff ff 06 00 00 00 00 ff ff ff 03 ff ff ff 75 ff ff ff d2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff cf ff ff ff 75 ff ff ff 03 00 00 00 00 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: uuu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	87.121.112.42	443	5484	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 22:32:31 UTC	349	OUT	GET /favicon.ico HTTP/1.1 Host: huiyuan-sh.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-18 22:32:31 UTC	277	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 18 Apr 2024 22:32:31 GMT Content-Type: image/x-icon Content-Length: 17542 Last-Modified: Mon, 09 May 2022 09:40:28 GMT Connection: close ETag: "6278e18c-4486" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes
2024-04-18 22:32:31 UTC	16107	IN	Data Raw: 00 00 01 00 04 00 30 30 00 00 01 00 20 00 a8 25 00 00 46 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 ee 25 00 00 18 18 00 00 01 00 20 00 88 09 00 00 96 36 00 00 10 10 00 00 01 00 20 00 68 04 00 00 1e 40 00 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 20 00 00 00 00 00 80 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 45 ff ff ff 99 ff ff ff cc ff ff ff f3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 00 %F % 6 h@(0` %E
2024-04-18 22:32:31 UTC	1435	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 75 ff ff ff 09 ff ff ff c3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff bd ff ff ff 06 00 00 00 00 ff ff ff 03 ff ff ff 75 ff ff ff d2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff cf ff ff ff 75 ff ff ff 03 00 00 00 00 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: uuu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	23.36.68.63	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 22:32:31 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-18 22:32:31 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=203477 Date: Thu, 18 Apr 2024 22:32:31 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	23.36.68.63	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 22:32:31 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-18 22:32:31 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=203475 Date: Thu, 18 Apr 2024 22:32:31 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-18 22:32:31 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	49724	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-04-18 22:32:44 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1713479531913&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-04-18 22:32:44 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-04-18 22:32:44 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-04-18 22:32:44 UTC	479	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: D1A34E19573C4383AA6F41F29A60842A Ref B: LAX311000112021 Ref C: 2024-04-18T22:32:44Z Date: Thu, 18 Apr 2024 22:32:44 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1713479564.db934ea

Target ID:	0
Start time:	00:32:22
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	00:32:24
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=2016,i,16147856606403169602,11218634441725562344,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	00:32:27
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://huiyuan-sh.com/"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://huiyuan-sh.com/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 4052, Parent PID: 5552

General

Chronological Activities

Analysis Process: chrome.exePID: 5484, Parent PID: 4052

General

Windows Analysis Report
https://huiyuan-sh.com/