Create Interactive Tour

Windows Analysis Report
https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login

Overview

General Information

Sample URL:	https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login
Analysis ID:	1294212
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found iframes

HTML title does not match URL

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5292 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 4884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1816,i,13182273645002761532,11264324182047488038,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 3416 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

cleanup

HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_300.1.dr	String found in binary or memory: http://api.jqueryui.com/category/ui-core/
Source: chromecache_300.1.dr	String found in binary or memory: http://api.jqueryui.com/datepicker/
Source: chromecache_346.1.dr, chromecache_305.1.dr	String found in binary or memory: http://api.jqueryui.com/position/
Source: chromecache_346.1.dr	String found in binary or memory: http://benalman.com/about/license/
Source: chromecache_307.1.dr	String found in binary or memory: http://brandonaaron.net)
Source: chromecache_278.1.dr	String found in binary or memory: http://bugs.jquery.com/ticket/11820
Source: chromecache_344.1.dr, chromecache_336.1.dr	String found in binary or memory: http://cldr.unicode.org).
Source: chromecache_317.1.dr	String found in binary or memory: http://developer.apple.com/library/IOS/#documentation/AppleApplications/Reference/SafariWebContent/O
Source: chromecache_307.1.dr	String found in binary or memory: http://docs.jquery.com/Plugins/livequery
Source: chromecache_346.1.dr	String found in binary or memory: http://docs.jquery.com/UI
Source: chromecache_317.1.dr	String found in binary or memory: http://es5.github.com/#x9.11
Source: chromecache_324.1.dr	String found in binary or memory: http://es5.github.io/#x15.4.4.17
Source: chromecache_324.1.dr	String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: chromecache_300.1.dr	String found in binary or memory: http://github.com/millermedeiros/hasher
Source: chromecache_317.1.dr, chromecache_324.1.dr	String found in binary or memory: http://jira.successfactors.com/browse/RCM-17058?focusedCommentId=1334712&page=com.atlassian.jira.plu
Source: chromecache_346.1.dr	String found in binary or memory: http://jquery.com/
Source: chromecache_300.1.dr, chromecache_305.1.dr	String found in binary or memory: http://jquery.org/license
Source: chromecache_346.1.dr	String found in binary or memory: http://jquerymobile.com
Source: chromecache_305.1.dr	String found in binary or memory: http://jqueryui.com
Source: chromecache_346.1.dr	String found in binary or memory: http://jqueryui.com/about)
Source: chromecache_376.1.dr	String found in binary or memory: http://malsup.com/jquery/form/
Source: chromecache_376.1.dr	String found in binary or memory: http://malsup.github.com/gpl-license-v2.txt
Source: chromecache_376.1.dr	String found in binary or memory: http://malsup.github.com/mit-license.txt
Source: chromecache_346.1.dr	String found in binary or memory: http://medialize.github.io/URI.js/
Source: chromecache_300.1.dr	String found in binary or memory: http://millermedeiros.github.com/crossroads.js/
Source: chromecache_300.1.dr	String found in binary or memory: http://millermedeiros.github.com/js-signals/
Source: chromecache_365.1.dr	String found in binary or memory: http://schemas.sap.com/sapui5/extension/sap.ui.core.CustomData/1
Source: chromecache_346.1.dr	String found in binary or memory: http://schemas.sap.com/sapui5/extension/sap.ui.core.FESR/1
Source: chromecache_346.1.dr	String found in binary or memory: http://sizzlejs.com/
Source: chromecache_317.1.dr	String found in binary or memory: http://stackoverflow.com/questions/17907445/how-to-detect-ie11
Source: chromecache_317.1.dr	String found in binary or memory: http://techpatterns.com/
Source: chromecache_317.1.dr	String found in binary or memory: http://techpatterns.com/downloads/javascript_browser_detection.php
Source: chromecache_324.1.dr	String found in binary or memory: http://ufku.com/personal/bbc2html
Source: chromecache_300.1.dr	String found in binary or memory: http://underscorejs.org/LICENSE
Source: chromecache_300.1.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: chromecache_346.1.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0)
Source: chromecache_317.1.dr	String found in binary or memory: http://www.dynamic-tools.net/toolbox/isMouseLeaveOrEnter/
Source: chromecache_346.1.dr	String found in binary or memory: http://www.json.org/
Source: chromecache_317.1.dr	String found in binary or memory: http://www.nic.fi/~tapio1/Teaching/index1.php3
Source: chromecache_346.1.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license
Source: chromecache_346.1.dr	String found in binary or memory: http://www.sap.com/
Source: chromecache_317.1.dr	String found in binary or memory: http://www.sencha.com/forum/archive/index.php/t-120468.html
Source: chromecache_344.1.dr, chromecache_336.1.dr	String found in binary or memory: http://www.unicode.org/copyright.html
Source: chromecache_317.1.dr	String found in binary or memory: https://confluence.successfactors.com/display/ENG/Reverse
Source: chromecache_324.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener
Source: chromecache_324.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/every
Source: chromecache_324.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: chromecache_324.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf#Polyf
Source: chromecache_317.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map#polyfill
Source: chromecache_317.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/bind#Polyf
Source: chromecache_317.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/keys
Source: chromecache_340.1.dr	String found in binary or memory: https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: chromecache_317.1.dr	String found in binary or memory: https://github.com/SAP/openui5/blob/master/src/sap.ui.documentation/src/sap/ui/documentation/sdk/Com
Source: chromecache_317.1.dr	String found in binary or memory: https://github.com/SAP/openui5/blob/master/src/sap.ui.documentation/src/sap/ui/documentation/sdk/con
Source: chromecache_346.1.dr	String found in binary or memory: https://github.com/douglascrockford/JSON-js/blob/ff55d8d4513b149e2511aee01c3a61d372837d1f/json_parse
Source: chromecache_324.1.dr	String found in binary or memory: https://github.com/jonathantneal/Polyfills-for-IE8/blob/master/getComputedStyle.js
Source: chromecache_305.1.dr	String found in binary or memory: https://github.com/jquery/jquery-color
Source: chromecache_376.1.dr	String found in binary or memory: https://github.com/malsup/form
Source: chromecache_300.1.dr	String found in binary or memory: https://github.com/sindresorhus/p-cancelable/tree/v2.0.0
Source: chromecache_317.1.dr	String found in binary or memory: https://github.wdf.sap.corp/bizx/idl-surj/blob/master/idl-surj-web/src/main/webapp/ui/surj/js/core/s
Source: chromecache_317.1.dr	String found in binary or memory: https://github.wdf.sap.corp/xweb/core-utils/blob/master/src/util/contentDensity.js
Source: chromecache_317.1.dr	String found in binary or memory: https://hacks.mozilla.org/2013/04/detecting-touch-its-the-why-not-the-how
Source: chromecache_346.1.dr, chromecache_300.1.dr	String found in binary or memory: https://jquery.com/
Source: chromecache_346.1.dr, chromecache_300.1.dr	String found in binary or memory: https://jquery.org/license
Source: chromecache_346.1.dr	String found in binary or memory: https://js.foundation/
Source: chromecache_376.1.dr	String found in binary or memory: https://learn.jquery.com/using-jquery-core/document-ready/
Source: chromecache_300.1.dr	String found in binary or memory: https://lodash.com/
Source: chromecache_300.1.dr	String found in binary or memory: https://lodash.com/license
Source: chromecache_300.1.dr	String found in binary or memory: https://openjsf.org/
Source: chromecache_331.1.dr	String found in binary or memory: https://performancemanager10.successfactors.com
Source: chromecache_300.1.dr	String found in binary or memory: https://sdk.openui5.org/topic/e6bb33d076dc4f23be50c082c271b9f0.
Source: chromecache_340.1.dr, chromecache_324.1.dr	String found in binary or memory: https://search.sap.com/search.html?t=
Source: chromecache_346.1.dr	String found in binary or memory: https://sizzlejs.com/

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; AEC=Ad49MVGiijyX5dxPFAKxKYso-rIS24Ht-Pxs5fU9hHrAzfASnm-jqdQE1g; NID=511=WyMJovC2uA2AEbHQkGfP-KDdYCeg5Q7Mv6gxYT-qeugtrnXImrhmp1SixwS4ydh_E8Z0hdfCLAXvg2WUqsBSfqpx5SFvCCoeGeevqlEfkoxYi9FTISb8Cu7rr5rf9PyyNbLqf2QbxG7ja7jAB6UJQd5CPvMGcYUasORCRKRL1-arNYzfADAWHJvBLXml-Km_uewDreOyJ-MjxAI-i38Tl6LXI3zB; 1P_JAR=2023-08-10-10

Source: classification engine

Classification label: clean1.win@30/120@20/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1816,i,13182273645002761532,11264324182047488038,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1816,i,13182273645002761532,11264324182047488038,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_BITS_5292_1732285186

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_5292_1732285186	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\ssl_error_assistant.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\manifest.fingerprint	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Drive-by Compromise	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	0%	Virustotal		Browse
https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
https://openjsf.org/	0%	URL Reputation	safe
http://es5.github.io/#x15.4.4.21	0%	URL Reputation	safe
http://medialize.github.io/URI.js/	0%	URL Reputation	safe
https://js.foundation/	0%	URL Reputation	safe
http://brandonaaron.net)	0%	Avira URL Cloud	safe
http://cldr.unicode.org).	0%	Avira URL Cloud	safe
http://ufku.com/personal/bbc2html	0%	Avira URL Cloud	safe
http://www.dynamic-tools.net/toolbox/isMouseLeaveOrEnter/	0%	Avira URL Cloud	safe
http://es5.github.io/#x15.4.4.17	0%	Avira URL Cloud	safe
https://github.wdf.sap.corp/xweb/core-utils/blob/master/src/util/contentDensity.js	0%	Avira URL Cloud	safe
https://github.wdf.sap.corp/bizx/idl-surj/blob/master/idl-surj-web/src/main/webapp/ui/surj/js/core/s	0%	Avira URL Cloud	safe
http://techpatterns.com/downloads/javascript_browser_detection.php	0%	Avira URL Cloud	safe
http://techpatterns.com/	0%	Avira URL Cloud	safe
http://www.nic.fi/~tapio1/Teaching/index1.php3	0%	Avira URL Cloud	safe
http://es5.github.io/#x15.4.4.17	1%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.217.168.77	true	false	high
www.google.com	172.217.168.68	true	false	high
clients.l.google.com	142.250.203.110	true	false	high
clients2.google.com	unknown	unknown	false	high
royhill.plateau.com	unknown	unknown	false	high
performancemanager10.successfactors.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://royhill.plateau.com/learning/user/site/catalogSearch.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	false	high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false	high
https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	false	high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false	high
https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.json.org/	chromecache_346.1.dr	false		high
http://api.jqueryui.com/datepicker/	chromecache_300.1.dr	false		high
http://jquery.org/license	chromecache_300.1.dr, chromecache_305.1.dr	false		high
https://confluence.successfactors.com/display/ENG/Reverse	chromecache_317.1.dr	false		high
https://github.com/SAP/openui5/blob/master/src/sap.ui.documentation/src/sap/ui/documentation/sdk/con	chromecache_317.1.dr	false		high
https://hacks.mozilla.org/2013/04/detecting-touch-its-the-why-not-the-how	chromecache_317.1.dr	false		high
http://es5.github.com/#x9.11	chromecache_317.1.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/bind#Polyf	chromecache_317.1.dr	false		high
http://www.unicode.org/copyright.html	chromecache_344.1.dr, chromecache_336.1.dr	false		high
http://sizzlejs.com/	chromecache_346.1.dr	false		high
http://jqueryui.com	chromecache_305.1.dr	false		high
https://learn.jquery.com/using-jquery-core/document-ready/	chromecache_376.1.dr	false		high
http://brandonaaron.net)	chromecache_307.1.dr	false	Avira URL Cloud: safe	low
http://jquerymobile.com	chromecache_346.1.dr	false		high
http://docs.jquery.com/Plugins/livequery	chromecache_307.1.dr	false		high
http://es5.github.io/#x15.4.4.17	chromecache_324.1.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.sap.com/sapui5/extension/sap.ui.core.CustomData/1	chromecache_365.1.dr	false		high
http://cldr.unicode.org).	chromecache_344.1.dr, chromecache_336.1.dr	false	Avira URL Cloud: safe	low
https://github.com/jquery/jquery-color	chromecache_305.1.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/keys	chromecache_317.1.dr	false		high
http://jira.successfactors.com/browse/RCM-17058?focusedCommentId=1334712&page=com.atlassian.jira.plu	chromecache_317.1.dr, chromecache_324.1.dr	false		high
http://benalman.com/about/license/	chromecache_346.1.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf#Polyf	chromecache_324.1.dr	false		high
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=	chromecache_340.1.dr	false		high
http://ufku.com/personal/bbc2html	chromecache_324.1.dr	false	Avira URL Cloud: safe	unknown
http://www.opensource.org/licenses/mit-license	chromecache_346.1.dr	false		high
http://www.dynamic-tools.net/toolbox/isMouseLeaveOrEnter/	chromecache_317.1.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0)	chromecache_346.1.dr	false		high
http://millermedeiros.github.com/js-signals/	chromecache_300.1.dr	false		high
http://malsup.github.com/gpl-license-v2.txt	chromecache_376.1.dr	false		high
https://openjsf.org/	chromecache_300.1.dr	false	URL Reputation: safe	unknown
http://es5.github.io/#x15.4.4.21	chromecache_324.1.dr	false	URL Reputation: safe	unknown
https://github.wdf.sap.corp/bizx/idl-surj/blob/master/idl-surj-web/src/main/webapp/ui/surj/js/core/s	chromecache_317.1.dr	false	Avira URL Cloud: safe	unknown
http://www.sap.com/	chromecache_346.1.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	chromecache_300.1.dr	false		high
http://bugs.jquery.com/ticket/11820	chromecache_278.1.dr	false		high
https://github.wdf.sap.corp/xweb/core-utils/blob/master/src/util/contentDensity.js	chromecache_317.1.dr	false	Avira URL Cloud: safe	unknown
http://techpatterns.com/downloads/javascript_browser_detection.php	chromecache_317.1.dr	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter	chromecache_324.1.dr	false		high
http://docs.jquery.com/UI	chromecache_346.1.dr	false		high
https://lodash.com/	chromecache_300.1.dr	false		high
http://malsup.com/jquery/form/	chromecache_376.1.dr	false		high
http://api.jqueryui.com/category/ui-core/	chromecache_300.1.dr	false		high
http://github.com/millermedeiros/hasher	chromecache_300.1.dr	false		high
https://github.com/jonathantneal/Polyfills-for-IE8/blob/master/getComputedStyle.js	chromecache_324.1.dr	false		high
http://api.jqueryui.com/position/	chromecache_346.1.dr, chromecache_305.1.dr	false		high
https://github.com/sindresorhus/p-cancelable/tree/v2.0.0	chromecache_300.1.dr	false		high
https://performancemanager10.successfactors.com	chromecache_331.1.dr	false		high
http://schemas.sap.com/sapui5/extension/sap.ui.core.FESR/1	chromecache_346.1.dr	false		high
http://techpatterns.com/	chromecache_317.1.dr	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener	chromecache_324.1.dr	false		high
https://sdk.openui5.org/topic/e6bb33d076dc4f23be50c082c271b9f0.	chromecache_300.1.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map#polyfill	chromecache_317.1.dr	false		high
http://underscorejs.org/LICENSE	chromecache_300.1.dr	false		high
https://jquery.org/license	chromecache_346.1.dr, chromecache_300.1.dr	false		high
http://medialize.github.io/URI.js/	chromecache_346.1.dr	false	URL Reputation: safe	unknown
https://github.com/SAP/openui5/blob/master/src/sap.ui.documentation/src/sap/ui/documentation/sdk/Com	chromecache_317.1.dr	false		high
https://jquery.com/	chromecache_346.1.dr, chromecache_300.1.dr	false		high
https://github.com/douglascrockford/JSON-js/blob/ff55d8d4513b149e2511aee01c3a61d372837d1f/json_parse	chromecache_346.1.dr	false		high
http://www.nic.fi/~tapio1/Teaching/index1.php3	chromecache_317.1.dr	false	Avira URL Cloud: safe	unknown
https://search.sap.com/search.html?t=	chromecache_340.1.dr, chromecache_324.1.dr	false		high
http://jqueryui.com/about)	chromecache_346.1.dr	false		high
https://lodash.com/license	chromecache_300.1.dr	false		high
http://malsup.github.com/mit-license.txt	chromecache_376.1.dr	false		high
http://stackoverflow.com/questions/17907445/how-to-detect-ie11	chromecache_317.1.dr	false		high
https://github.com/malsup/form	chromecache_376.1.dr	false		high
http://millermedeiros.github.com/crossroads.js/	chromecache_300.1.dr	false		high
https://sizzlejs.com/	chromecache_346.1.dr	false		high
https://js.foundation/	chromecache_346.1.dr	false	URL Reputation: safe	unknown
http://jquery.com/	chromecache_346.1.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/every	chromecache_324.1.dr	false		high
http://www.sencha.com/forum/archive/index.php/t-120468.html	chromecache_317.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.168.77	accounts.google.com	United States	15169	GOOGLEUS	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1294212
Start date and time:	2023-08-21 01:04:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@30/120@20/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Browse: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER Browse: https://royhill.plateau.com/learning/user/site/catalogSearch.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER Browse: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER Browse: https://royhill.plateau.com/learning/user/site/catalogSearch.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER Browse: https://royhill.plateau.com/learning/user/site/catalogSearch.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER Browse: https://royhill.plateau.com/learning/user/site/catalogSearch.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 172.217.168.67, 34.104.35.123, 23.211.5.38, 23.211.5.109, 216.58.215.234, 172.217.168.10, 172.217.168.42, 142.250.203.106, 142.250.203.99
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, content-autofill.googleapis.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, e938.a.akamaiedge.net, g.bing.com, wildcard.plateau.com.edgekey.net, e2093.a.akamaiedge.net, arc.msn.com, ris.api.iris.microsoft.com, edgedl.me.gvt1.com, update.googleapis.com, displaycatalog.mp.microsoft.com, wildcard.successfactors.com.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1765
Entropy (8bit):	6.016932513650603
Encrypted:	false
SSDEEP:	48:p/hKAGj0FnAp7XgNGIaku9E5tPJXaWqkbszesM:R5Gj0FAlsaBmfPsRD3M
MD5:	6D1D175F88B64546105E3E7C31D1129A
SHA1:	75A1B56F55BB62B05365A0FDBFC7941DE77CBFAF
SHA-256:	A0BC246E8E160A9BB32FA60F4E7A04D148A17125F426509466031E07731FDF81
SHA-512:	5C80908331E30C7EAD67F7F6C5AB064B07626FD9C58925A0D2124D66B25C5AE2F218BDACFB68AFCB332E88EB297CFB7E0A7A9E5E1E54C9B7A510FEF095F9B54F
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiSUxrUllPSmhIVEZacllLRmN5UC12SkJrVjNWbWVLdHo4d1hEb2VPWjBZMCJ9LHsicGF0aCI6InNzbF9lcnJvcl9hc3Npc3RhbnQucGIiLCJyb290X2hhc2giOiJyRFZLUnlPcXBQQnI3RGhkM2VTazBKZzYxUlJXOVNzeHFBYU95WDFiWHFjIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoiZ2lla2NtbWxua2xlbmxhb21wcGtwaGtuam1ubnBuZWgiLCJpdGVtX3ZlcnNpb24iOiI3IiwicHJvdG9jb2xfdmVyc2lvbiI6MX0","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"nBdNk-7bgnEftAs4hWaHwF1Lk9pt7Eh6pcqe2gyNsE7VnVRp-H27tm1RFAF4htCUlXNJxX6YY-MUiK2DqJpQ3c73KDaFV8DcnadQfcXO3Lbrw7jLYSUaSdzujPkTyhuFcq_BhK0KWiIJ0aJgh7nVOBfAa5AbE6oFlLKMB2Ls0gmzS1-a5hUIu4rw2h9r9jkr6gLYbein5Jk2hdwW3u-1GNjyki4dftG2iZNAI8VhUf5gnCiF4AHCnYSGJsM0RGkmO_HJIzgwpQpP3RDsG2ioeKgxL-kcHhjXWOj3uVGyxpp1FkyHGkeGuqpFZMAxx3CEBiOtFj7i3iQxkgEW-E3uMKI3yA

Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Iframe src: /learning/images/blank.html;mod=b6cae4ef

Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: Title: SuccessFactors Learning Sites Login does not match URL
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: Title: SuccessFactors Learning Sites Login does not match URL

Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: <input type="password" .../> found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: <input type="password" .../> found

Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: No <meta name="author".. found
Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: No <meta name="author".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="author".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="author".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="author".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="author".. found

Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: No <meta name="copyright".. found
Source: https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login	HTTP Parser: No <meta name="copyright".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="copyright".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="copyright".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="copyright".. found
Source: https://royhill.plateau.com/learning/user/site/loginFromSite.do?OWASP_CSRFTOKEN=RLD1-U40M-8WM4-AB22-IBSI-1WW3-YP5Z-77ER	HTTP Parser: No <meta name="copyright".. found

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2023 01:05:27.320797920 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.320864916 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.320966959 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.323262930 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.323349953 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.323457956 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.326040983 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.326076984 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.326298952 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.326340914 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.448293924 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.448780060 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.448851109 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.449985981 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.450253963 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.450309038 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.450773954 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.450788021 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.450907946 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.450956106 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.451606035 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.451716900 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.452903032 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.453022003 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.453155994 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.453190088 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.453386068 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.453542948 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.453557968 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.453596115 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.495172024 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.495206118 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.495265961 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.498184919 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.498548031 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:27.498615980 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.498661995 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.498745918 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.498769045 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.499155045 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.499237061 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.567219019 CEST	49720	443	192.168.2.3	142.250.203.110
Aug 21, 2023 01:05:27.567265034 CEST	443	49720	142.250.203.110	192.168.2.3
Aug 21, 2023 01:05:27.568958998 CEST	49722	443	192.168.2.3	172.217.168.77
Aug 21, 2023 01:05:27.569021940 CEST	443	49722	172.217.168.77	192.168.2.3
Aug 21, 2023 01:05:30.981158972 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:30.981241941 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:30.981350899 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:30.981548071 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:30.981573105 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:31.045274973 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:31.046871901 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:31.046940088 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:31.048255920 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:31.048430920 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:31.065119028 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:31.065404892 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:31.106601954 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:31.106640100 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:31.146817923 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:41.029448986 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:41.029587984 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:05:41.029748917 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:42.447680950 CEST	49727	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:05:42.447746038 CEST	443	49727	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:30.998823881 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:30.998909950 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:30.999017000 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:31.001801014 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:31.001836061 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:31.060070992 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:31.060595036 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:31.060672998 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:31.061743975 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:31.062716007 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:31.062844038 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:31.118875027 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:41.083668947 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:41.083827019 CEST	443	49979	172.217.168.68	192.168.2.3
Aug 21, 2023 01:06:41.083961010 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:41.378092051 CEST	49979	443	192.168.2.3	172.217.168.68
Aug 21, 2023 01:06:41.378158092 CEST	443	49979	172.217.168.68	192.168.2.3

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2023 01:05:27.248073101 CEST	56452	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:27.248588085 CEST	59489	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:27.249425888 CEST	51739	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:27.249876976 CEST	63604	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:27.264677048 CEST	53	51739	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:27.277632952 CEST	53	56452	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:27.282339096 CEST	53	59489	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:27.284377098 CEST	53	63604	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:27.293106079 CEST	53	54193	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:27.805212975 CEST	53	64088	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:29.100064993 CEST	59697	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:29.105197906 CEST	57045	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:30.957870960 CEST	57282	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:30.958252907 CEST	63719	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:30.978729010 CEST	53	63719	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:30.978873968 CEST	53	57282	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:35.745477915 CEST	55108	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:35.745767117 CEST	62364	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:35.987170935 CEST	49809	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:35.987426996 CEST	52108	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:37.539264917 CEST	53	57594	8.8.8.8	192.168.2.3
Aug 21, 2023 01:05:38.859319925 CEST	54156	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:05:38.859858036 CEST	50959	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:06:26.499677896 CEST	53	49673	8.8.8.8	192.168.2.3
Aug 21, 2023 01:06:29.281666994 CEST	63200	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:06:29.281958103 CEST	57068	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:06:38.384332895 CEST	51105	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:06:38.384644032 CEST	52375	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:06:44.604043961 CEST	52337	53	192.168.2.3	8.8.8.8
Aug 21, 2023 01:06:44.604410887 CEST	59467	53	192.168.2.3	8.8.8.8

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 21, 2023 01:05:27.805325031 CEST	192.168.2.3	8.8.8.8	d02e	(Port unreachable)	Destination Unreachable
Aug 21, 2023 01:05:36.064487934 CEST	192.168.2.3	8.8.8.8	d07e	(Port unreachable)	Destination Unreachable
Aug 21, 2023 01:05:38.899446964 CEST	192.168.2.3	8.8.8.8	d09a	(Port unreachable)	Destination Unreachable
Aug 21, 2023 01:06:26.499775887 CEST	192.168.2.3	8.8.8.8	d031	(Port unreachable)	Destination Unreachable
Aug 21, 2023 01:06:38.433547974 CEST	192.168.2.3	8.8.8.8	d09a	(Port unreachable)	Destination Unreachable

Timestamp	kBytes transferred	Direction	Data
2023-08-20 23:05:27 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; AEC=Ad49MVGiijyX5dxPFAKxKYso-rIS24Ht-Pxs5fU9hHrAzfASnm-jqdQE1g; NID=511=WyMJovC2uA2AEbHQkGfP-KDdYCeg5Q7Mv6gxYT-qeugtrnXImrhmp1SixwS4ydh_E8Z0hdfCLAXvg2WUqsBSfqpx5SFvCCoeGeevqlEfkoxYi9FTISb8Cu7rr5rf9PyyNbLqf2QbxG7ja7jAB6UJQd5CPvMGcYUasORCRKRL1-arNYzfADAWHJvBLXml-Km_uewDreOyJ-MjxAI-i38Tl6LXI3zB; 1P_JAR=2023-08-10-10
2023-08-20 23:05:27 UTC	0	OUT	Data Raw: 20 Data Ascii:
2023-08-20 23:05:27 UTC	1	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sun, 20 Aug 2023 23:05:27 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-OilZHOlBPz55lYuM9lsLrg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-08-20 23:05:27 UTC	3	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-08-20 23:05:27 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (37861)
Category:	downloaded
Size (bytes):	130779
Entropy (8bit):	4.9887760819496165
Encrypted:	false
SSDEEP:	1536:ZZ/gQ4zSsTNPtL/53PtjPjc6HM2SceP/VdYR0:ZZ/c353PtjPjc6HM2ScYVu0
MD5:	9DD6B93DCEF155D7274B5513F31CA44C
SHA1:	01ED9A9AE04F7C4C9D8F2694E71D9118332D348E
SHA-256:	1DD418C6F65474BB1C48B50447EC3138B2584F7CBF97AF89C23C5842F0393A3F
SHA-512:	DF744B0596FDD2E20A499629AF2B1A58EA5421F974F93C0F8E941C50A19FABC1E6CF123CB09A24B7C43586C312A1ED27D20BCF892082A5D81838C07C28BB0822
Malicious:	false
Reputation:	low
URL:	https://royhill.plateau.com/learning/ui/sapui5/MOD_X_b578056e/sap/ui/core/themes/sap_fiori_3/library.css
Preview:	/!. OpenUI5. * (c) Copyright 2009-2023 SAP SE or an SAP affiliate company.. * Licensed under the Apache License, Version 2.0 - see LICENSE.txt.. //!. * OpenUI5. * (c) Copyright 2009-2023 SAP SE or an SAP affiliate company.. * Licensed under the Apache License, Version 2.0 - see LICENSE.txt.. /.sapUiAccKeysHighlighDom:first-letter{text-decoration:underline 20% black}.sapUiBody{background-color:#f7f7f7;color:#32363a;font-family:"72","72full",Arial,Helvetica,sans-serif;font-size:16px;-webkit-tap-highlight-color:rgba(0,0,0,0);forced-color-adjust:none}.sapUiArea{background-color:#f7f7f7;color:#32363a;font-family:"72","72full",Arial,Helvetica,sans-serif;font-size:16px}.sapUiHidden{position:absolute;visibility:hidden;left:-10000px;top:-10000px;background-color:#f7f7f7;color:#32363a;font-family:"72","72full",Arial,Helvetica,sans-serif;font-size:16px}.sapUiForcedHidden,.sapUiForcedHidden {visibility:hidden !important}.sapUiCorePlaintext{font-family:"72","72full",Arial,Helvetica,sans-seri

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	467
Entropy (8bit):	5.086648047259038
Encrypted:	false
SSDEEP:	12:2UwixTsd8wcqCDx8YujhDil3POjH+6+DRWAGeRfv:2UwkTsd59mx8YujhDid2WRWuRH
MD5:	521826D7E574B861AF39821D52E01A7F
SHA1:	3603CFABA65CD2B22BCE811AA444975BD1A532AA
SHA-256:	B9995323C862FE570833769172DEA15C776DCAA66D733472BC049F69FEEBD0C8
SHA-512:	17F051CA579B92389914091E2CB29C6113C5E21140EB17E167DFB4C2A7B6D00912A0AD64393615F55FF65A0DBA2A23A970080B5870889CFB352D05DF109E4AEE
Malicious:	false
Reputation:	low
URL:	https://royhill.plateau.com/learning/js/theming/ThemingHelper.js;mod=d7a07b1a
Preview:	(function(window) {..var topWindow = window.top;..var pageHeaderJson = topWindow && topWindow.pageHeaderJsonData;..if(pageHeaderJson) {...var baseThemeVarCssURL = pageHeaderJson.baseUrl + pageHeaderJson.themeBaseVarsCSS;...var linkElement = document.createElement("link");...linkElement.type = "text/css";...linkElement.rel = "stylesheet";...linkElement.href = baseThemeVarCssURL;...document.getElementsByTagName('head')[0].appendChild(linkElement);..}..})(window);.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	15079
Entropy (8bit):	4.870707925117348
Encrypted:	false
SSDEEP:	192:UZBOb5d5qKLsYKEePPAv+tCnEiwzjzCHgsmOGvL68DCKbXNVOULCrVNkrzug:UgoYbePPA0hUwB
MD5:	355357ECE41D0ADC392BB4A1E1706784
SHA1:	9357612C2E14DE6DAD7D76B7395BD9191FF6316E
SHA-256:	4C2A367F99DA7949C3B29DBF3B0426FEA4D4457D610B9C7095ACA48840724F1E
SHA-512:	0F9DEFC9BDE73A53B0D12A27A2E16D3F6F2C0E12A3AABF9053FFEB3A56305E3FBB4D6F82A7A6C2596109F0538B5906E5199ED64D08AAFB2119B98340A203A669
Malicious:	false
Reputation:	low
URL:	https://royhill.plateau.com/learning/ui/browse-catalog/resources/MOD_X_ec9a7cb6/control/CatalogListItemBase.js
Preview:	sap.ui.define([.."sap/ui/thirdparty/jquery",.."sap/m/ListItemBase",.."sap/m/ImageMode",.."sap/ui/Device",.."sap/m/Text",.."sap/m/Label",.."sap/m/RatingIndicator",.."sap/ui/core/InvisibleText",.."sap/m/Link",.."sap/m/Button",.."sap/ui/core/CustomData",.."sap/m/ActionSheet",.."sap/m/PlacementType".], function (jQuery,ListItemBase,ImageMode,Device,Text,Label,RatingIndicator,InvisibleText,Link,Button,CustomData,ActionSheet,PlacementType) {. "use strict";.. var CatalogListItemBase = ListItemBase.extend("sap.sf.learning.browsecatalog.control.CatalogListItemBase", { . .metadata: {. ..properties: {. ...title : {type : "string", group : "Misc", defaultValue : null},. ...thumbnailURI : {type: "string", group : "Misc", defaultValue: null},. ...classification : {type: "string", group : "Misc", defaultValue: null},. ...description : {type: "string", group : "Misc", defaultValue: null},. ...htmlDescription : {type: "string", group : "M

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (515)
Category:	downloaded
Size (bytes):	146255
Entropy (8bit):	5.2465971129716245
Encrypted:	false
SSDEEP:	1536:jyQN9GmH55/tdd/0glIQvAkartdhXo6Uo3iyNokD8Q:BartdhXz7
MD5:	43FD16168C4ED3DA98EAF34EC5A9D12C
SHA1:	8ED4BBC6D7036A32E665A4EC32F56C0E5716B68E
SHA-256:	10A35074B0916BAD513B7E19EC672061B514B011423AEE7D949E474082543B3B
SHA-512:	033BBC91E68876AB9B90ADC4AB4FD2078D0B5DC871FD4EC8BAA0CA85AA124B4BE4A412A05069A1F19D5BF1BAD60C9B71A7E187ADFA1C81C97059E723651718EA
Malicious:	false
Reputation:	low
URL:	https://royhill.plateau.com/learning/user/css/styles.min.css;mod=cf50d081
Preview:	html{font-family:Helvetica,Arial,sans-serif}html .ie-only{font-family:Arial,sans-serif}html body{font-size:12px;background-color:#FFF;margin:0;text-align:left}html body.fioriFD{font-size:var(--sapFontSize);margin:auto;text-align:initial}..legacyFont1Icon{display:none}#bodyDiv{margin:0;padding:0;_height:100%;min-height:691px;text-align:center}.tlsTile .tileWrapper .header .shrink,.tlsTile .tileWrapper .header .grow{opacity:1}.#headerAreaDiv,#menuAreaDiv,#contentAreaDiv,#footerAreaDiv{text-align:left}body #bodyDiv.noBackground{background:0;min-height:0}.nowrap{white-space:nowrap}#contentAreaDivGoalWizard{width:748px;display:table;margin:0 auto;padding:0 0 30px 0;z-index:1;background:#FFF url("/learning/user/images/pagetitle_bg.gif;mod=ea889039") top repeat-x}.#contentAreaDivActivitySearch{width:700px;display:table;margin:0 auto;padding:0 0 30px 0;z-index:1;background-color:inherit}#contentAreaDiv{width:940px;display:table;margin:0 auto;padding:0 0 50px 0;z-index:1;background-color:#fff}.

Timestamp	kBytes transferred	Direction	Data
2023-08-20 23:05:27 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-115.0.5790.171 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-08-20 23:05:27 UTC	3	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-I_KkkNJ6xRyLOTXKjbPqzg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sun, 20 Aug 2023 23:05:27 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6075 X-Daystart: 57927 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-08-20 23:05:27 UTC	3	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 37 35 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 35 37 39 32 37 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6075" elapsed_seconds="57927"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-08-20 23:05:27 UTC	4	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-08-20 23:05:27 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:05:23
Start date:	21/08/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff67bb30000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	1
Start time:	01:05:25
Start date:	21/08/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1816,i,13182273645002761532,11264324182047488038,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff67bb30000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	01:05:28
Start date:	21/08/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login
Imagebase:	0x7ff67bb30000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Network device logs, Network intrusion detection system, Packet capture, Process use of network, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\_metadata\verified_contents.json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\manifest.fingerprint

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\manifest.json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5292_679296917\ssl_error_assistant.pb

Chrome Cache Entry: 265

Chrome Cache Entry: 266

Chrome Cache Entry: 267

Chrome Cache Entry: 268

Chrome Cache Entry: 270

Chrome Cache Entry: 271

Chrome Cache Entry: 272

Chrome Cache Entry: 273

Chrome Cache Entry: 274

Chrome Cache Entry: 275

Chrome Cache Entry: 276

Chrome Cache Entry: 277

Chrome Cache Entry: 278

Chrome Cache Entry: 279

Chrome Cache Entry: 280

Chrome Cache Entry: 282

Chrome Cache Entry: 283

Chrome Cache Entry: 284

Chrome Cache Entry: 285

Chrome Cache Entry: 286

Chrome Cache Entry: 287

Chrome Cache Entry: 288

Chrome Cache Entry: 289

Chrome Cache Entry: 290

Chrome Cache Entry: 291

Windows Analysis Report
https://royhill.plateau.com/learning/user/portal.do?siteID=RH001&landingPage=login

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre