Edit tour

Windows Analysis Report
https://www.bhninsights.com

Overview

General Information

Sample URL:	https://www.bhninsights.com
Analysis ID:	1428934
Infos:

Errors URL not reachable

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4656 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=2312,i,7644020683411911557,4789499624779080118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.bhninsights.com" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown

HTTPS traffic detected: 104.98.116.138:443 -> 192.168.2.7:49716 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.98.116.138:443 -> 192.168.2.7:49716 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 168.61.215.74

Source: unknown

DNS traffic detected: queries for: www.bhninsights.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109005EFEX-BM-CBT: 1696492382X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 7964DE11F2244989AF4CA95A808EA94CX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109005EFEX-MSEdge-ExternalExp: bfbwsbcm0921cf,d-thshld42,websuganno_t2,wsbmsaqfuxt3,wsbqfasmsall_t,wsbqfminiserp500,wsbref-t,wsbuacfX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=19565074ACE142FCABAF0CDCC0DFAAEB&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&LUT=1696492216762&IPMH=45187fb8&IPMID=1696492382078&HV=1696492289; CortanaAppUID=FE52A12E95B5DF3DB5902D0602A16B66; MUID=A92BA4E78D2946A0AFDA5029FA43D7A8; _SS=SID=21E2F496C67F672E2F62E737C76966EF&CPID=1696492383022&AC=1&CPH=644b7eae; _EDGE_S=SID=21E2F496C67F672E2F62E737C76966EF; MUIDB=A92BA4E78D2946A0AFDA5029FA43D7A8

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: classification engine

Classification label: unknown0.win@18/0@4/4

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=2312,i,7644020683411911557,4789499624779080118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.bhninsights.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=2312,i,7644020683411911557,4789499624779080118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
www.google.com	172.253.124.104	true	false	high
www.bhninsights.com	52.219.112.203	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.219.112.203	www.bhninsights.com	United States	16509	AMAZON-02US	false
172.253.124.104	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428934
Start date and time:	2024-04-19 21:34:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://www.bhninsights.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	UNKNOWN
Classification:	unknown0.win@18/0@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	URL browsing timeout or error

Errors

URL not reachable

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, ShellExperienceHost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.9.94, 172.217.215.138, 172.217.215.100, 172.217.215.101, 172.217.215.102, 172.217.215.139, 172.217.215.113, 142.250.9.84, 34.104.35.123, 23.44.104.130, 52.165.165.26, 69.164.42.0, 192.229.211.108, 199.232.214.172, 20.242.39.171, 52.165.164.15, 172.253.124.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, clients.l.google.com, www.gstatic.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://www.bhninsights.com

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 21:35:44.916805029 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 19, 2024 21:35:46.119941950 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 19, 2024 21:35:48.291836977 CEST	49674	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:35:48.292149067 CEST	49675	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:35:48.448067904 CEST	49672	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:35:48.526344061 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 19, 2024 21:35:53.354407072 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 19, 2024 21:35:54.551289082 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:35:55.041856050 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:35:55.839282990 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:35:56.749552011 CEST	49705	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:35:56.749569893 CEST	443	49705	52.219.112.203	192.168.2.7
Apr 19, 2024 21:35:56.749736071 CEST	49705	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:35:56.750256062 CEST	49706	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:35:56.750279903 CEST	443	49706	52.219.112.203	192.168.2.7
Apr 19, 2024 21:35:56.750368118 CEST	49706	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:35:56.750581980 CEST	49705	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:35:56.750593901 CEST	443	49705	52.219.112.203	192.168.2.7
Apr 19, 2024 21:35:56.750945091 CEST	49706	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:35:56.750955105 CEST	443	49706	52.219.112.203	192.168.2.7
Apr 19, 2024 21:35:57.343698978 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:35:57.514733076 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.514755964 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.514868975 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.515103102 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.515110016 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.733213902 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.750484943 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.750497103 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.751374006 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.751434088 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.753295898 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.753353119 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.840188980 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.840203047 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:35:57.941668034 CEST	49674	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:35:57.941695929 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:35:57.941724062 CEST	49675	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:35:58.151561022 CEST	49672	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:35:59.463913918 CEST	443	49698	104.98.116.138	192.168.2.7
Apr 19, 2024 21:35:59.464035988 CEST	49698	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:00.341398001 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:36:02.963241100 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 19, 2024 21:36:06.323827982 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:36:07.760518074 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:36:07.760569096 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:36:07.760827065 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:36:09.460136890 CEST	49707	443	192.168.2.7	172.253.124.104
Apr 19, 2024 21:36:09.460180044 CEST	443	49707	172.253.124.104	192.168.2.7
Apr 19, 2024 21:36:10.864202023 CEST	49698	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:10.864445925 CEST	49698	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:10.896286964 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:10.896331072 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:10.896549940 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:10.899132013 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:10.899158001 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.014575005 CEST	443	49698	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.014776945 CEST	443	49698	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.211890936 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.212074041 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:11.268382072 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:11.268407106 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.268781900 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.268924952 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:11.269618988 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:11.269650936 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:11.269931078 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:11.316117048 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:13.608653069 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:13.608711004 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:13.608982086 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:13.609025955 CEST	443	49716	104.98.116.138	192.168.2.7
Apr 19, 2024 21:36:13.609071016 CEST	49716	443	192.168.2.7	104.98.116.138
Apr 19, 2024 21:36:18.228908062 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 19, 2024 21:36:26.758939028 CEST	49705	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:26.759037971 CEST	49706	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:26.800116062 CEST	443	49706	52.219.112.203	192.168.2.7
Apr 19, 2024 21:36:26.800132036 CEST	443	49705	52.219.112.203	192.168.2.7
Apr 19, 2024 21:36:28.033940077 CEST	49718	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:28.033970118 CEST	443	49718	52.219.112.203	192.168.2.7
Apr 19, 2024 21:36:28.034123898 CEST	49718	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:28.035423994 CEST	49719	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:28.035486937 CEST	443	49719	52.219.112.203	192.168.2.7
Apr 19, 2024 21:36:28.035991907 CEST	49719	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:28.041150093 CEST	49719	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:28.041182995 CEST	443	49719	52.219.112.203	192.168.2.7
Apr 19, 2024 21:36:28.041835070 CEST	49718	443	192.168.2.7	52.219.112.203
Apr 19, 2024 21:36:28.041847944 CEST	443	49718	52.219.112.203	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 21:35:55.359464884 CEST	53	56888	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:55.370791912 CEST	53	51113	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:55.973011017 CEST	53	62465	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:56.599800110 CEST	56380	53	192.168.2.7	1.1.1.1
Apr 19, 2024 21:35:56.599960089 CEST	51629	53	192.168.2.7	1.1.1.1
Apr 19, 2024 21:35:56.744716883 CEST	53	51629	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:56.748035908 CEST	53	56380	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:57.402965069 CEST	49274	53	192.168.2.7	1.1.1.1
Apr 19, 2024 21:35:57.403237104 CEST	60215	53	192.168.2.7	1.1.1.1
Apr 19, 2024 21:35:57.507865906 CEST	53	60215	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:57.507879019 CEST	53	49274	1.1.1.1	192.168.2.7
Apr 19, 2024 21:35:59.124087095 CEST	123	123	192.168.2.7	168.61.215.74
Apr 19, 2024 21:35:59.281367064 CEST	123	123	168.61.215.74	192.168.2.7
Apr 19, 2024 21:36:12.996048927 CEST	53	53994	1.1.1.1	192.168.2.7
Apr 19, 2024 21:36:27.335094929 CEST	53	62874	1.1.1.1	192.168.2.7
Apr 19, 2024 21:36:32.039881945 CEST	53	52771	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 21:35:56.599800110 CEST	192.168.2.7	1.1.1.1	0xc2a7	Standard query (0)	www.bhninsights.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.599960089 CEST	192.168.2.7	1.1.1.1	0x2f9c	Standard query (0)	www.bhninsights.com	65	IN (0x0001)	false
Apr 19, 2024 21:35:57.402965069 CEST	192.168.2.7	1.1.1.1	0x994c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.403237104 CEST	192.168.2.7	1.1.1.1	0xe939	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.112.203	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.193.91	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.116.59	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.120.99	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.112.91	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.120.203	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.193.35	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:56.748035908 CEST	1.1.1.1	192.168.2.7	0xc2a7	No error (0)	www.bhninsights.com		52.219.194.11	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.507865906 CEST	1.1.1.1	192.168.2.7	0xe939	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 19, 2024 21:35:57.507879019 CEST	1.1.1.1	192.168.2.7	0x994c	No error (0)	www.google.com		172.253.124.104	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.507879019 CEST	1.1.1.1	192.168.2.7	0x994c	No error (0)	www.google.com		172.253.124.99	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.507879019 CEST	1.1.1.1	192.168.2.7	0x994c	No error (0)	www.google.com		172.253.124.105	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.507879019 CEST	1.1.1.1	192.168.2.7	0x994c	No error (0)	www.google.com		172.253.124.103	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.507879019 CEST	1.1.1.1	192.168.2.7	0x994c	No error (0)	www.google.com		172.253.124.147	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:35:57.507879019 CEST	1.1.1.1	192.168.2.7	0x994c	No error (0)	www.google.com		172.253.124.106	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:36:09.291918993 CEST	1.1.1.1	192.168.2.7	0xbd6b	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 21:36:09.291918993 CEST	1.1.1.1	192.168.2.7	0xbd6b	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:36:09.744673014 CEST	1.1.1.1	192.168.2.7	0xced4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:36:09.744673014 CEST	1.1.1.1	192.168.2.7	0xced4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:36:23.305284977 CEST	1.1.1.1	192.168.2.7	0x75a7	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 19, 2024 21:36:23.305284977 CEST	1.1.1.1	192.168.2.7	0x75a7	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

www.bing.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.7	49716	104.98.116.138	443

Timestamp	Bytes transferred	Direction	Data
2024-04-19 19:36:11 UTC	2205	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A4109005EFE X-BM-CBT: 1696492382 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 60 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: 7964DE11F2244989AF4CA95A808EA94C X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A4109005EFE X-MSEdge-ExternalExp: bfbwsbcm0921cf,d-thshld42,websuganno_t2,wsbmsaqfuxt3,wsbqfasmsall_t,wsbqfminiserp500,wsbref-t,wsbuacf X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 516 Connection: Keep-Alive Cache-Control: no-cache Cookie: SRCHUID=V=2&GUID=19565074ACE142FCABAF0CDCC0DFAAEB&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&LUT=1696492216762&IPMH=45187fb8&IPMID=1696492382078&HV=1696492289; CortanaAppUID=FE52A12E95B5DF3DB5902D0602A16B66; MUID=A92BA4E78D2946A0AFDA5029FA43D7A8; _SS=SID=21E2F496C67F672E2F62E737C76966EF&CPID=1696492383022&AC=1&CPH=644b7eae; _EDGE_S=SID=21E2F496C67F672E2F62E737C76966EF; MUIDB=A92BA4E78D2946A0AFDA5029FA43D7A8
2024-04-19 19:36:11 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-04-19 19:36:11 UTC	515	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 41 39 32 42 41 34 45 37 38 44 32 39 34 36 41 30 41 46 44 41 35 30 32 39 46 41 34 33 44 37 41 38 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 31 45 39 44 31 37 45 34 43 44 34 32 45 42 41 41 36 41 45 35 39 41 36 45 44 35 43 32 32 41 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>A92BA4E78D2946A0AFDA5029FA43D7A8</CID><Events><E><T>Event.ClientInst</T><IG>751E9D17E4CD42EBAA6AE59A6ED5C22A</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-04-19 19:36:13 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 915BA2E760684B4B8681B15627105BD3 Ref B: LAX311000111019 Ref C: 2024-04-19T19:36:11Z Date: Fri, 19 Apr 2024 19:36:13 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.86746268.1713555371.1b604c63

Target ID:	0
Start time:	21:35:48
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	21:35:53
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 --field-trial-handle=2312,i,7644020683411911557,4789499624779080118,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	21:35:55
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.bhninsights.com"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://www.bhninsights.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 1548, Parent PID: 4732

General

Chronological Activities

Analysis Process: chrome.exePID: 4656, Parent PID: 1548

General

Chronological Activities

Analysis Process: chrome.exePID: 396, Parent PID: 4732

General

Chronological Activities

Disassembly

Windows Analysis Report
https://www.bhninsights.com