Edit tour

Windows Analysis Report
http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

Overview

General Information

Sample URL:	http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/
Analysis ID:	1638245
Infos:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected HtmlPhish10

Uses IPFS gateway to access IPFS content in browser (often used in phishing/scams)

Creates files inside the system directory

Deletes files inside the Windows folder

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5708 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2040 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4892 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7596 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/" MD5: E81F54E6C1129887AEA47E7D092680BF)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_82	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Suricata Signatures

ET PHISHING Generic Custom Logo Phishing Landing

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T10:15:30.326903+0100	2031099	2	Possible Social Engineering Attempted	172.64.146.87	443	192.168.2.5	49723	TCP

ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T10:15:30.326903+0100	2031923	2	Possible Social Engineering Attempted	172.64.146.87	443	192.168.2.5	49723	TCP

ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T10:15:30.326903+0100	2032515	2	Possible Social Engineering Attempted	172.64.146.87	443	192.168.2.5	49723	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

Avira URL Cloud: detection malicious, Label: phishing

Antivirus detection for URL or domain

Source: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/favicon.ico

Avira URL Cloud: Label: phishing

Phishing

AI detected phishing page

Source: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

Joe Sandbox AI: Score: 9 Reasons: The URL provided is a subdomain of 'ipfs.w3s.link', which is not associated with Zimbra., Zimbra is a known brand, typically associated with the domain 'zimbra.com'., The use of 'ipfs.w3s.link' suggests the content is hosted on a decentralized storage network, which is unusual for a legitimate Zimbra login page., The URL contains a hash-like string, which is atypical for a legitimate brand's login page., The presence of input fields for 'Username' and 'Password' on a non-legitimate domain is a common phishing tactic. DOM: 0.0.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_82, type: DROPPED

Uses IPFS gateway to access IPFS content in browser (often used in phishing/scams)

Source: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

HTTP Parser: Gateway: w3s.link

Source: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.64.146.87:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.94.90.3:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: Network traffic	Suricata IDS: 2031099 - Severity 2 - ET PHISHING Generic Custom Logo Phishing Landing : 172.64.146.87:443 -> 192.168.2.5:49723
Source: Network traffic	Suricata IDS: 2031923 - Severity 2 - ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10 : 172.64.146.87:443 -> 192.168.2.5:49723
Source: Network traffic	Suricata IDS: 2032515 - Severity 2 - ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing : 172.64.146.87:443 -> 192.168.2.5:49723

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.linkConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.linkConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=trP0xdQE_HyiEBxsrJt2BpJr4Tjuh3jMWSUyaNyxd.0-1741943730-1.0.1.1-Ygi51Z4RfeNaNVyYLNQbwYYIT0MQghGyMsle7CjO4pbzJafdaQk880BPChub4hzL_v_F296aXDmfLBjrUGfi9qRLlUYCFlz7GEAMQ_DnyF8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.linkConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link
Source: global traffic	DNS traffic detected: DNS query: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 09:15:33 GMTContent-Type: text/plain; charset=utf-8Content-Length: 191Connection: closeaccess-control-allow-headers: Content-Typeaccess-control-allow-headers: Rangeaccess-control-allow-headers: User-Agentaccess-control-allow-headers: X-Requested-Withaccess-control-allow-methods: GETaccess-control-allow-methods: HEADaccess-control-allow-methods: OPTIONSaccess-control-allow-origin: *access-control-expose-headers: Content-Lengthaccess-control-expose-headers: Content-Rangeaccess-control-expose-headers: X-Chunked-Outputaccess-control-expose-headers: X-Ipfs-Pathaccess-control-expose-headers: X-Ipfs-Rootsaccess-control-expose-headers: X-Stream-Outputx-content-type-options: nosniffx-ipfs-path: /ipfs/bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si/favicon.icox-ipfs-pop: rainbow-dc13-04CF-Cache-Status: EXPIREDSet-Cookie: __cflb=0H28vZKYwx1YfcVJ9tP4oFsUinNVyXq6GWCSLca5Cp4; SameSite=None; Secure; path=/; expires=Sat, 15-Mar-25 08:15:33 GMT; HttpOnlyServer: cloudflareCF-RAY: 9202aacadea341ef-EWRalt-svc: h3=":443"; ma=86400

Source: chromecache_82.1.dr	String found in binary or memory: https://advertisingdigitalsolutions.com/zzib/post.php
Source: chromecache_82.1.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: chromecache_82.1.dr	String found in binary or memory: https://blog.zimbra.com
Source: chromecache_82.1.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/jquery.session
Source: chromecache_82.1.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: chromecache_82.1.dr	String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: chromecache_82.1.dr	String found in binary or memory: https://logo.clearbit.com/
Source: chromecache_82.1.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: chromecache_82.1.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: chromecache_82.1.dr	String found in binary or memory: https://webmail.brinkster.com/zimbra/css/common
Source: chromecache_82.1.dr	String found in binary or memory: https://webmail.brinkster.com/zimbra/img/logo/favicon.ico
Source: chromecache_82.1.dr	String found in binary or memory: https://wiki.zimbra.com
Source: chromecache_82.1.dr	String found in binary or memory: https://www.google.com/s2/favicons?domain=
Source: chromecache_82.1.dr	String found in binary or memory: https://www.zimbra.com
Source: chromecache_82.1.dr	String found in binary or memory: https://www.zimbra.com.
Source: chromecache_82.1.dr	String found in binary or memory: https://www.zimbra.com/forums

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.64.146.87:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.94.90.3:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir6800_1862736818

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6800_1862736818

Jump to behavior

Source: classification engine

Classification label: mal76.phis.win@25/2@8/4

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:7632:120:WilError_03

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2040 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4892 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2040 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4892 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/	100%	Avira URL Cloud	phishing

Source	Detection	Scanner	Label
https://blog.zimbra.com	0%	Avira URL Cloud	safe
https://advertisingdigitalsolutions.com/zzib/post.php	0%	Avira URL Cloud	safe
https://webmail.brinkster.com/zimbra/css/common	0%	Avira URL Cloud	safe
https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link/favicon.ico	0%	Avira URL Cloud	safe
https://webmail.brinkster.com/zimbra/img/logo/favicon.ico	0%	Avira URL Cloud	safe
https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/favicon.ico	100%	Avira URL Cloud	phishing
https://wiki.zimbra.com	0%	Avira URL Cloud	safe
https://www.zimbra.com.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	104.18.41.169	true	false	unknown
www.google.com	142.250.185.132	true	false	high
bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link	209.94.90.3	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/favicon.ico	true	Avira URL Cloud: phishing	unknown
https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link/favicon.ico	false	Avira URL Cloud: safe	unknown
https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.zimbra.com	chromecache_82.1.dr	false		high
https://blog.zimbra.com	chromecache_82.1.dr	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	chromecache_82.1.dr	false		high
https://webmail.brinkster.com/zimbra/img/logo/favicon.ico	chromecache_82.1.dr	false	Avira URL Cloud: safe	unknown
https://www.zimbra.com.	chromecache_82.1.dr	false	Avira URL Cloud: safe	unknown
https://code.jquery.com/jquery-3.2.1.slim.min.js	chromecache_82.1.dr	false		high
https://cdn.jsdelivr.net/npm/jquery.session	chromecache_82.1.dr	false		high
https://webmail.brinkster.com/zimbra/css/common	chromecache_82.1.dr	false	Avira URL Cloud: safe	unknown
https://www.zimbra.com/forums	chromecache_82.1.dr	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	chromecache_82.1.dr	false		high
https://logo.clearbit.com/	chromecache_82.1.dr	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	chromecache_82.1.dr	false		high
https://wiki.zimbra.com	chromecache_82.1.dr	false	Avira URL Cloud: safe	unknown
https://advertisingdigitalsolutions.com/zzib/post.php	chromecache_82.1.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/s2/favicons?domain=	chromecache_82.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.64.146.87	unknown	United States	13335	CLOUDFLARENETUS	false
209.94.90.3	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link	United States	40680	PROTOCOLUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638245
Start date and time:	2025-03-14 10:14:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.phis.win@25/2@8/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 216.58.206.35, 172.217.16.206, 142.250.74.206, 142.250.110.84, 172.217.18.14, 142.250.181.238, 142.250.186.174, 142.250.185.78, 142.250.184.238, 142.250.185.110, 142.250.186.35, 142.250.185.206, 142.250.184.195, 142.250.186.78, 20.12.23.50, 150.171.28.10, 2.19.96.66
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (721), with CRLF line terminators
Category:	downloaded
Size (bytes):	17843
Entropy (8bit):	5.166336555676162
Encrypted:	false
SSDEEP:	384:Hu+t9JvqUwJVS68EhJmkTXqBeJeXfyFqECYYItE3G3/0L:HuVn8EhJmkTXqBykpItEL
MD5:	ADD76DEFA7824F3049A3973BA74B3D38
SHA1:	5AE9140F527E2E449948C872628902DCE05B7ECE
SHA-256:	FB786A19CC208129415E0D9305EACF7A2C8E5CDA43BFD2D5C69C40C5720F3B92
SHA-512:	9D80F3842F15DB269476FC8286DD41B0D74D6400E5B9EA7553EDAC32EEB8DF7B1D1AFD6BC09B09D4F3501D04A61B00831FCBF110B95975EC1389C4F6DEA46380
Malicious:	false
Reputation:	low
URL:	https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/
Preview:	.<html class="user_font_size_normal" lang="en"><head>.....<meta http-equiv="Content-Type" content="text/html;charset=utf-8">...<title>Zimbra Web Client Sign In</title>...<meta name="viewport" content="width=device-width, initial-scale=1.0">...<meta name="description" content="Zimbra provides open source server and client software for messaging and collaboration. To find out more visit https://www.zimbra.com.">...<meta name="apple-mobile-web-app-capable" content="yes">...<meta name="apple-mobile-web-app-status-bar-style" content="black">...<link rel="stylesheet" type="text/css" href="https://webmail.brinkster.com/zimbra/css/common,login,zhtml,skin.css?skin=harmony&v=220204081523">...<link rel="SHORTCUT ICON" href="https://webmail.brinkster.com/zimbra/img/logo/favicon.ico">......</head>..<body onload="onLoad();">.....<div class="LoginScreen">....<div class="center">.....<div class="contentBox">......<h1><a href="#" id="bannerLink" target="_new" title="Zimbra"><span class="ScreenRea

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-14T10:15:30.326903+0100	2031099	ET PHISHING Generic Custom Logo Phishing Landing	2	172.64.146.87	443	192.168.2.5	49723	TCP
2025-03-14T10:15:30.326903+0100	2031923	ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10	2	172.64.146.87	443	192.168.2.5	49723	TCP
2025-03-14T10:15:30.326903+0100	2032515	ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing	2	172.64.146.87	443	192.168.2.5	49723	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 10:15:13.970068932 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:14.282104969 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:14.891474009 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:14.938369989 CET	49672	443	192.168.2.5	204.79.197.203
Mar 14, 2025 10:15:16.094590902 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:18.500911951 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:23.313345909 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:24.547753096 CET	49672	443	192.168.2.5	204.79.197.203
Mar 14, 2025 10:15:27.900593996 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:27.900650978 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:27.900719881 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:27.900886059 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:27.900902033 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:28.548007011 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:28.548101902 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:28.549213886 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:28.549227953 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:28.549448013 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:28.594613075 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:29.588463068 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:29.588507891 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:29.588707924 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:29.588757992 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:29.588763952 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.055342913 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.055461884 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.056579113 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.056588888 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.056895018 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.057245016 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.104337931 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239181042 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239320993 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239351988 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239389896 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239392042 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.239422083 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239443064 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.239466906 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239520073 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.239527941 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.239972115 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.240003109 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.240009069 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.240016937 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.240055084 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.240061045 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.282129049 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.282169104 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.326647043 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.326683044 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.326773882 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:30.326801062 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.326850891 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.327272892 CET	49723	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:30.327295065 CET	443	49723	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:31.418503046 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:31.418555021 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:31.418740034 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:31.419054031 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:31.419070005 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:31.873116016 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:31.873451948 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:31.873496056 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:31.873661995 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:31.873667955 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:32.216324091 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:32.216387033 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:32.216439962 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:32.216759920 CET	49724	443	192.168.2.5	172.64.146.87
Mar 14, 2025 10:15:32.216778040 CET	443	49724	172.64.146.87	192.168.2.5
Mar 14, 2025 10:15:32.244915009 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:32.244942904 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:32.245011091 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:32.245229006 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:32.245242119 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:32.848608971 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:32.848773956 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:32.850555897 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:32.850569963 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:32.850820065 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:32.851252079 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:32.892330885 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:32.922847033 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 10:15:33.264266968 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:33.264343977 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:33.264406919 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:33.266014099 CET	49725	443	192.168.2.5	209.94.90.3
Mar 14, 2025 10:15:33.266043901 CET	443	49725	209.94.90.3	192.168.2.5
Mar 14, 2025 10:15:38.454794884 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:38.454869032 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:15:38.454950094 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:42.862988949 CET	49722	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:15:42.863030910 CET	443	49722	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:06.861581087 CET	49696	80	192.168.2.5	199.232.214.172
Mar 14, 2025 10:16:06.861634016 CET	49703	80	192.168.2.5	199.232.214.172
Mar 14, 2025 10:16:06.867099047 CET	80	49696	199.232.214.172	192.168.2.5
Mar 14, 2025 10:16:06.867209911 CET	49696	80	192.168.2.5	199.232.214.172
Mar 14, 2025 10:16:06.867434978 CET	80	49703	199.232.214.172	192.168.2.5
Mar 14, 2025 10:16:06.867484093 CET	49703	80	192.168.2.5	199.232.214.172
Mar 14, 2025 10:16:07.629857063 CET	49697	443	192.168.2.5	2.23.227.208
Mar 14, 2025 10:16:07.630053043 CET	49702	80	192.168.2.5	2.23.77.188
Mar 14, 2025 10:16:27.956149101 CET	49735	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:16:27.956198931 CET	443	49735	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:27.956257105 CET	49735	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:16:27.956537008 CET	49735	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:16:27.956547976 CET	443	49735	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:28.619936943 CET	443	49735	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:28.620552063 CET	49735	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:16:28.620588064 CET	443	49735	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:38.519815922 CET	443	49735	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:38.519893885 CET	443	49735	142.250.185.132	192.168.2.5
Mar 14, 2025 10:16:38.519958019 CET	49735	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:16:39.722186089 CET	49735	443	192.168.2.5	142.250.185.132
Mar 14, 2025 10:16:39.722242117 CET	443	49735	142.250.185.132	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 10:15:23.227849007 CET	53	49190	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:23.571980000 CET	53	58652	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:25.946746111 CET	53	65234	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:27.892654896 CET	57649	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:27.892908096 CET	59034	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:27.899386883 CET	53	57649	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:27.899403095 CET	53	59034	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:29.556745052 CET	65379	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:29.558073044 CET	54761	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:29.561777115 CET	65091	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:29.561912060 CET	56932	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:29.567186117 CET	53	65379	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:29.567751884 CET	53	54761	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:29.575304031 CET	53	56932	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:29.586755991 CET	53	65091	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:32.219054937 CET	64836	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:32.219198942 CET	56068	53	192.168.2.5	1.1.1.1
Mar 14, 2025 10:15:32.228960991 CET	53	64836	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:32.233222961 CET	53	56068	1.1.1.1	192.168.2.5
Mar 14, 2025 10:15:42.871078968 CET	53	57399	1.1.1.1	192.168.2.5
Mar 14, 2025 10:16:01.739839077 CET	53	52108	1.1.1.1	192.168.2.5
Mar 14, 2025 10:16:17.242142916 CET	138	138	192.168.2.5	192.168.2.255
Mar 14, 2025 10:16:23.297029972 CET	53	59655	1.1.1.1	192.168.2.5
Mar 14, 2025 10:16:24.166739941 CET	53	63247	1.1.1.1	192.168.2.5
Mar 14, 2025 10:16:26.462611914 CET	53	54416	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2025 10:15:27.892654896 CET	192.168.2.5	1.1.1.1	0xa519	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:27.892908096 CET	192.168.2.5	1.1.1.1	0x5c03	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 14, 2025 10:15:29.556745052 CET	192.168.2.5	1.1.1.1	0xc1fd	Standard query (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:29.558073044 CET	192.168.2.5	1.1.1.1	0x89db	Standard query (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	65	IN (0x0001)	false
Mar 14, 2025 10:15:29.561777115 CET	192.168.2.5	1.1.1.1	0xbbe7	Standard query (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:29.561912060 CET	192.168.2.5	1.1.1.1	0x58eb	Standard query (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	65	IN (0x0001)	false
Mar 14, 2025 10:15:32.219054937 CET	192.168.2.5	1.1.1.1	0x2d0e	Standard query (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:32.219198942 CET	192.168.2.5	1.1.1.1	0xd3b7	Standard query (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 14, 2025 10:15:27.899386883 CET	1.1.1.1	192.168.2.5	0xa519	No error (0)	www.google.com	142.250.185.132	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:27.899403095 CET	1.1.1.1	192.168.2.5	0x5c03	No error (0)	www.google.com		65	IN (0x0001)	false
Mar 14, 2025 10:15:29.567186117 CET	1.1.1.1	192.168.2.5	0xc1fd	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	104.18.41.169	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:29.567186117 CET	1.1.1.1	192.168.2.5	0xc1fd	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	172.64.146.87	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:29.567751884 CET	1.1.1.1	192.168.2.5	0x89db	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link		65	IN (0x0001)	false
Mar 14, 2025 10:15:29.575304031 CET	1.1.1.1	192.168.2.5	0x58eb	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link		65	IN (0x0001)	false
Mar 14, 2025 10:15:29.586755991 CET	1.1.1.1	192.168.2.5	0xbbe7	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	172.64.146.87	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:29.586755991 CET	1.1.1.1	192.168.2.5	0xbbe7	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link	104.18.41.169	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:32.228960991 CET	1.1.1.1	192.168.2.5	0x2d0e	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link	209.94.90.3	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:32.228960991 CET	1.1.1.1	192.168.2.5	0x2d0e	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link	209.94.90.2	A (IP address)	IN (0x0001)	false
Mar 14, 2025 10:15:32.233222961 CET	1.1.1.1	192.168.2.5	0xd3b7	No error (0)	bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link		65	IN (0x0001)	false

HTTP Request Dependency Graph

bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link

bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49723	172.64.146.87	443	5708	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 09:15:30 UTC	723	OUT	GET / HTTP/1.1 Host: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-14 09:15:30 UTC	1260	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 09:15:30 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 17843 Connection: close CF-Ray: 9202aab969184fb3-EWR CF-Cache-Status: HIT Accept-Ranges: bytes Access-Control-Allow-Origin: * Age: 24264 Cache-Control: public, max-age=29030400 ETag: "bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si" Expires: Fri, 13 Feb 2026 09:15:30 GMT Vary: Accept-Encoding Access-Control-Allow-Methods: GET, HEAD Access-Control-Expose-Headers: Link content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: https://.w3s.link https://.nftstorage.link https://.dweb.link https://ipfs.io/ipfs/ https://.githubusercontent.com https://tableland.network https://.tableland.network ; form-action 'self'; navigate-to 'self'; connect-src 'self' blob: data: https://.w3s.link https://.nftstorage.link https://.dweb.link https://ipfs.io/ipfs/ https://.githubusercontent.com https://tableland.network https://.tableland.network ; report-to csp-endpoint ; report-uri https://csp-report-to.web3.storage reporting-endpoints: csp-endpoint="https://csp-report-to.web3.storage" x-dotstorage-resolution-id: cache-zone x-dotstorage-resolution-layer: cdn x-freeway-version: 2.28.1
2025-03-14 09:15:30 UTC	310	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 74 72 50 30 78 64 51 45 5f 48 79 69 45 42 78 73 72 4a 74 32 42 70 4a 72 34 54 6a 75 68 33 6a 4d 57 53 55 79 61 4e 79 78 64 2e 30 2d 31 37 34 31 39 34 33 37 33 30 2d 31 2e 30 2e 31 2e 31 2d 59 67 69 35 31 5a 34 52 66 65 4e 61 4e 56 79 59 4c 4e 51 62 77 59 59 49 54 30 4d 51 67 68 47 79 4d 73 6c 65 37 43 6a 4f 34 70 62 7a 4a 61 66 64 61 51 6b 38 38 30 42 50 43 68 75 62 34 68 7a 4c 5f 76 5f 46 32 39 36 61 58 44 6d 66 4c 42 6a 72 55 47 66 69 39 71 52 4c 6c 55 59 43 46 6c 7a 37 47 45 41 4d 51 5f 44 6e 79 46 38 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 46 72 69 2c 20 31 34 2d 4d 61 72 2d 32 35 20 30 39 3a 34 35 3a 33 30 20 47 4d 54 3b 20 64 6f 6d 61 69 6e 3d 2e 77 33 73 2e 6c 69 6e 6b 3b 20 Data Ascii: Set-Cookie: __cf_bm=trP0xdQE_HyiEBxsrJt2BpJr4Tjuh3jMWSUyaNyxd.0-1741943730-1.0.1.1-Ygi51Z4RfeNaNVyYLNQbwYYIT0MQghGyMsle7CjO4pbzJafdaQk880BPChub4hzL_v_F296aXDmfLBjrUGfi9qRLlUYCFlz7GEAMQ_DnyF8; path=/; expires=Fri, 14-Mar-25 09:45:30 GMT; domain=.w3s.link;
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: ef bb bf 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 75 73 65 72 5f 66 6f 6e 74 5f 73 69 7a 65 5f 6e 6f 72 6d 61 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 09 3c 74 69 74 6c 65 3e 5a 69 6d 62 72 61 20 57 65 62 20 43 6c 69 65 6e 74 20 53 69 67 6e 20 49 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: <html class="user_font_size_normal" lang="en"><head><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><title>Zimbra Web Client Sign In</title><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 3e 3c 69 6e 70 75 74 20 69 64 3d 22 65 6d 61 69 6c 22 20 63 6c 61 73 73 3d 22 7a 4c 6f 67 69 6e 46 69 65 6c 64 22 20 6e 61 6d 65 3d 22 65 6d 61 69 6c 22 20 74 79 70 65 3d 22 74 65 78 74 22 20 73 69 7a 65 3d 22 34 30 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 31 30 32 34 22 20 61 75 74 6f 63 61 70 69 74 61 6c 69 7a 65 3d 22 6f 66 66 22 20 61 75 74 6f 63 6f 72 72 65 63 74 3d 22 6f 66 66 22 20 64 69 73 61 62 6c 65 64 3e 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: d> <td><input id="email" class="zLoginField" name="email" type="text" size="40" maxlength="1024" autocapitalize="off" autocorrect="off" disabled></td> </tr>
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 6c 69 65 6e 74 22 3e 56 65 72 73 69 6f 6e 3a 3c 2f 6c 61 62 65 6c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 73 69 74 69 6f 6e 69 6e 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 6c 65 63 74 20 69 64 3d 22 63 6c 69 65 6e 74 22 20 6e 61 6d 65 3d 22 63 6c 69 65 6e 74 22 20 6f 6e 63 68 61 6e 67 65 3d 22 63 6c 69 65 6e 74 43 68 61 6e 67 65 28 74 68 69 73 2e 6f 70 74 69 6f 6e 73 5b 74 68 69 73 2e 73 65 6c Data Ascii: lient">Version:</label> </td> <td> <div class="positioning"> <select id="client" name="client" onchange="clientChange(this.options[this.sel
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 3e 20 6f 66 66 65 72 73 20 74 68 65 20 66 75 6c 6c 20 73 65 74 20 6f 66 20 57 65 62 20 63 6f 6c 6c 61 62 6f 72 61 74 69 6f 6e 20 66 65 61 74 75 72 65 73 2e 20 54 68 69 73 20 57 65 62 20 43 6c 69 65 6e 74 20 77 6f 72 6b 73 20 62 65 73 74 20 77 69 74 68 20 6e 65 77 65 72 20 62 72 6f 77 73 65 72 73 20 61 6e 64 20 66 61 73 74 65 72 20 49 6e 74 65 72 6e 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e 73 2e 20 3c 62 72 3e 3c 62 72 3e 3c 62 3e 53 74 61 6e 64 61 72 64 3c 2f 62 3e 20 69 73 20 72 65 63 6f 6d 6d 65 6e 64 65 64 20 77 68 65 6e 20 49 6e 74 65 72 6e 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e 73 20 61 72 65 20 73 6c 6f 77 2c 20 77 68 65 6e 20 75 73 69 6e 67 20 6f 6c 64 65 72 20 62 72 6f 77 73 65 72 73 2c 20 6f 72 20 66 6f 72 20 65 61 73 69 65 72 20 61 63 63 65 73 73 Data Ascii: > offers the full set of Web collaboration features. This Web Client works best with newer browsers and faster Internet connections. <br><br><b>Standard</b> is recommended when Internet connections are slow, when using older browsers, or for easier access
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 70 79 72 69 67 68 74 22 3e 0d 0a 09 09 09 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 32 30 30 35 2d 32 30 32 31 20 53 79 6e 61 63 6f 72 2c 20 49 6e 63 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 22 5a 69 6d 62 72 61 22 20 69 73 20 61 20 72 65 67 69 73 74 65 72 65 64 20 74 72 61 64 65 6d 61 72 6b 20 6f 66 20 53 79 6e 61 63 6f 72 2c 20 49 6e 63 2e 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 65 63 6f 72 32 22 3e 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 5a 6d 53 6b 69 6e 28 65 29 7b 0d 0a 74 68 69 73 2e 68 69 6e 74 73 3d 74 68 69 73 2e 6d 65 72 67 65 4f 62 6a Data Ascii: <div class="copyright">Copyright 2005-2021 Synacor, Inc. All rights reserved. "Zimbra" is a registered trademark of Synacor, Inc.</div></div><div class="decor2"></div></div><script>function ZmSkin(e){this.hints=this.mergeObj
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 69 6f 6e 3a 22 4e 22 2c 74 72 61 6e 73 69 74 69 6f 6e 73 3a 5b 7b 0d 0a 74 79 70 65 3a 22 66 61 64 65 2d 69 6e 22 2c 73 74 65 70 3a 35 2c 64 75 72 61 74 69 6f 6e 3a 35 30 7d 0d 0a 2c 7b 0d 0a 74 79 70 65 3a 22 70 61 75 73 65 22 2c 64 75 72 61 74 69 6f 6e 3a 35 30 30 30 7d 0d 0a 2c 7b 0d 0a 74 79 70 65 3a 22 66 61 64 65 2d 6f 75 74 22 2c 73 74 65 70 3a 2d 31 30 2c 64 75 72 61 74 69 6f 6e 3a 35 30 30 7d 0d 0a 5d 7d 0d 0a 2c 66 75 6c 6c 53 63 72 65 65 6e 3a 7b 0d 0a 63 6f 6e 74 61 69 6e 65 72 73 3a 5b 22 21 73 6b 69 6e 5f 74 64 5f 74 72 65 65 22 2c 22 21 73 6b 69 6e 5f 74 64 5f 74 72 65 65 5f 61 70 70 5f 73 61 73 68 22 5d 7d 0d 0a 2c 61 6c 6c 41 64 73 3a 7b 0d 0a 63 6f 6e 74 61 69 6e 65 72 73 3a 5b 22 73 6b 69 6e 5f 74 72 5f 74 6f 70 5f 61 64 22 2c 22 73 6b Data Ascii: ion:"N",transitions:[{type:"fade-in",step:5,duration:50},{type:"pause",duration:5000},{type:"fade-out",step:-10,duration:500}]},fullScreen:{containers:["!skin_td_tree","!skin_td_tree_app_sash"]},allAds:{containers:["skin_tr_top_ad","sk
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 46 45 52 45 4e 43 45 53 2c 74 29 0d 0a 7d 65 6c 73 65 7b 0d 0a 74 68 69 73 2e 5f 67 6f 74 6f 50 72 65 66 50 61 67 65 28 65 29 0d 0a 7d 7d 0d 0a 2c 6d 65 72 67 65 4f 62 6a 65 63 74 73 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 6f 29 7b 0d 0a 69 66 28 65 3d 3d 6e 75 6c 6c 29 7b 0d 0a 65 3d 7b 7d 0d 0a 7d 0d 0a 66 6f 72 28 76 61 72 20 61 3d 31 3b 0d 0a 61 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 0d 0a 61 2b 2b 29 7b 0d 0a 76 61 72 20 6e 3d 61 72 67 75 6d 65 6e 74 73 5b 61 5d 3b 0d 0a 66 6f 72 28 76 61 72 20 74 20 69 6e 20 6e 29 7b 0d 0a 76 61 72 20 73 3d 65 5b 74 5d 3b 0d 0a 69 66 28 74 79 70 65 6f 66 20 73 3d 3d 22 6f 62 6a 65 63 74 22 26 26 21 28 73 20 69 6e 73 74 61 6e 63 65 6f 66 20 41 72 72 61 79 29 29 7b 0d 0a 74 68 69 73 2e 6d 65 72 67 65 4f 62 Data Ascii: FERENCES,t)}else{this._gotoPrefPage(e)}},mergeObjects:function(e,o){if(e==null){e={}}for(var a=1;a<arguments.length;a++){var n=arguments[a];for(var t in n){var s=e[t];if(typeof s=="object"&&!(s instanceof Array)){this.mergeOb
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 22 0d 0a 7d 7d 7d 0d 0a 69 66 28 61 21 3d 74 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 29 7b 0d 0a 74 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 3d 61 3b 0d 0a 72 65 74 75 72 6e 20 74 72 75 65 0d 0a 7d 65 6c 73 65 7b 0d 0a 72 65 74 75 72 6e 20 66 61 6c 73 65 0d 0a 7d 7d 0d 0a 2c 5f 68 69 64 65 45 6c 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 0d 0a 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 73 68 6f 77 45 6c 28 65 2c 66 61 6c 73 65 29 0d 0a 7d 0d 0a 2c 5f 72 65 70 61 72 65 6e 74 45 6c 3a 66 75 6e 63 74 69 6f 6e 28 69 2c 65 29 7b 0d 0a 76 61 72 20 61 3d 74 68 69 73 2e 5f 67 65 74 45 6c 28 65 29 3b 0d 0a 76 61 72 20 74 3d 61 26 26 74 68 69 73 2e 5f 67 65 74 45 6c 28 69 29 3b 0d 0a 69 66 28 74 29 7b 0d 0a 61 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 29 0d 0a 7d 7d 0d Data Ascii: "}}}if(a!=t.style.display){t.style.display=a;return true}else{return false}},_hideEl:function(e){return this._showEl(e,false)},_reparentEl:function(i,e){var a=this._getEl(e);var t=a&&this._getEl(i);if(t){a.appendChild(t)}}
2025-03-14 09:15:30 UTC	1369	IN	Data Raw: 63 68 6f 72 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 5a 4c 6f 67 69 6e 57 68 61 74 73 54 68 69 73 41 6e 63 68 6f 72 27 29 2c 0d 0a 20 20 20 20 20 20 20 20 74 6f 6f 6c 74 69 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 5a 4c 6f 67 69 6e 57 68 61 74 73 54 68 69 73 22 29 2c 0d 0a 20 20 20 20 20 20 20 20 64 6f 48 69 64 65 20 3d 20 28 74 6f 6f 6c 74 69 70 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 20 3d 3d 3d 20 22 62 6c 6f 63 6b 22 29 3b 0d 0a 20 20 20 20 74 6f 6f 6c 74 69 70 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 20 3d 20 64 6f 48 69 64 65 20 3f 20 22 6e 6f 6e 65 22 20 3a 20 22 62 6c 6f 63 6b 22 3b 0d 0a 20 20 20 20 61 6e 63 68 6f 72 2e 73 65 74 41 74 74 72 69 62 75 74 65 Data Ascii: chor = document.getElementById('ZLoginWhatsThisAnchor'), tooltip = document.getElementById("ZLoginWhatsThis"), doHide = (tooltip.style.display === "block"); tooltip.style.display = doHide ? "none" : "block"; anchor.setAttribute

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49724	172.64.146.87	443	5708	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 09:15:31 UTC	897	OUT	GET /favicon.ico HTTP/1.1 Host: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=trP0xdQE_HyiEBxsrJt2BpJr4Tjuh3jMWSUyaNyxd.0-1741943730-1.0.1.1-Ygi51Z4RfeNaNVyYLNQbwYYIT0MQghGyMsle7CjO4pbzJafdaQk880BPChub4hzL_v_F296aXDmfLBjrUGfi9qRLlUYCFlz7GEAMQ_DnyF8
2025-03-14 09:15:32 UTC	986	IN	HTTP/1.1 307 Temporary Redirect Date: Fri, 14 Mar 2025 09:15:32 GMT Content-Length: 0 Connection: close Location: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link/favicon.ico Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Link content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: https://.w3s.link https://.nftstorage.link https://.dweb.link https://ipfs.io/ipfs/ https://.githubusercontent.com https://tableland.network https://.tableland.network ; form-action 'self'; navigate-to 'self'; connect-src 'self' blob: data: https://.w3s.link https://.nftstorage.link https://.dweb.link https://ipfs.io/ipfs/ https://.githubusercontent.com https://tableland.network https://.tableland.network ; report-to csp-endpoint ; report-uri https://csp-report-to.web3.storage reporting-endpoints: csp-endpoint="https://csp-report-to.web3.storage" Server: cloudflare CF-RAY: 9202aac4cfd7a0fb-EWR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	209.94.90.3	443	5708	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 09:15:32 UTC	743	OUT	GET /favicon.ico HTTP/1.1 Host: bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.dweb.link Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Sec-Fetch-Storage-Access: active Referer: https://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-14 09:15:33 UTC	1138	IN	HTTP/1.1 404 Not Found Date: Fri, 14 Mar 2025 09:15:33 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 191 Connection: close access-control-allow-headers: Content-Type access-control-allow-headers: Range access-control-allow-headers: User-Agent access-control-allow-headers: X-Requested-With access-control-allow-methods: GET access-control-allow-methods: HEAD access-control-allow-methods: OPTIONS access-control-allow-origin: * access-control-expose-headers: Content-Length access-control-expose-headers: Content-Range access-control-expose-headers: X-Chunked-Output access-control-expose-headers: X-Ipfs-Path access-control-expose-headers: X-Ipfs-Roots access-control-expose-headers: X-Stream-Output x-content-type-options: nosniff x-ipfs-path: /ipfs/bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si/favicon.ico x-ipfs-pop: rainbow-dc13-04 CF-Cache-Status: EXPIRED Set-Cookie: __cflb=0H28vZKYwx1YfcVJ9tP4oFsUinNVyXq6GWCSLca5Cp4; SameSite=None; Secure; path=/; expires=Sat, 15-Mar-25 08:15:33 GMT; HttpOnly Server: cloudflare CF-RAY: 9202aacadea341ef-EWR alt-svc: h3=":443"; ma=86400
2025-03-14 09:15:33 UTC	191	IN	Data Raw: 66 61 69 6c 65 64 20 74 6f 20 72 65 73 6f 6c 76 65 20 2f 69 70 66 73 2f 62 61 66 6b 72 65 69 68 33 70 62 76 62 74 74 62 61 71 65 75 75 63 78 71 6e 73 6d 63 36 76 74 33 32 66 73 68 66 7a 77 73 64 78 37 6a 6e 6c 72 75 34 69 64 63 78 65 64 7a 33 73 69 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 3a 20 6e 6f 20 6c 69 6e 6b 20 6e 61 6d 65 64 20 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 75 6e 64 65 72 20 62 61 66 6b 72 65 69 68 33 70 62 76 62 74 74 62 61 71 65 75 75 63 78 71 6e 73 6d 63 36 76 74 33 32 66 73 68 66 7a 77 73 64 78 37 6a 6e 6c 72 75 34 69 64 63 78 65 64 7a 33 73 69 0a Data Ascii: failed to resolve /ipfs/bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si/favicon.ico: no link named "favicon.ico" under bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si

Target ID:	0
Start time:	05:15:16
Start date:	14/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff606150000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:15:21
Start date:	14/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2040 /prefetch:3
Imagebase:	0x7ff606150000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:15:24
Start date:	14/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12801263729217419109,10388789673455714418,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4892 /prefetch:8
Imagebase:	0x7ff606150000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:15:28
Start date:	14/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/"
Imagebase:	0x7ff606150000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:16:14
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7e2000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 82

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6800, Parent PID: 1212

General

Chronological Activities

Analysis Process: chrome.exePID: 5708, Parent PID: 6800

General

Chronological Activities

Analysis Process: chrome.exePID: 7480, Parent PID: 6800

General

Chronological Activities

Windows Analysis Report
http://bafkreih3pbvbttbaqeuucxqnsmc6vt32fshfzwsdx7jnlru4idcxedz3si.ipfs.w3s.link/