Edit tour

Windows Analysis Report
http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r

Overview

General Information

Sample URL:	http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r
Analysis ID:	1322363

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Creates files inside the system directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 5624 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3788 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1980,i,15802485787850025466,9600212843098341206,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: GET /ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r HTTP/1.1Host: echo4.bluehornet.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown	HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:50037 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_5624_984218621

Source: classification engine

Classification label: clean1.win@22/249@221/991

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1980,i,15802485787850025466,9600212843098341206,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1980,i,15802485787850025466,9600212843098341206,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Source	Detection	Scanner	Label	Link
http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
tls13.taboola.map.fastly.net	151.101.193.44	true	false	unknown
stun.anura.io	35.167.52.199	true	false	unknown
mobile-gtalk.l.google.com	74.125.137.188	true	false	high
d20qwf0wrdtevy.cloudfront.net	18.65.25.6	true	false	high
stats.g.doubleclick.net	142.250.101.157	true	false	high
pix.revjet.com	107.6.88.62	true	false	high
ads.anura.io	13.33.21.14	true	false	unknown
livepixel-production.bln.liveintent.com	52.6.65.93	true	false	high
dualstack.tls13.taboola.map.fastly.net	151.101.129.44	true	false	unknown
cm.g.doubleclick.net	142.250.68.2	true	false	high
q4e6t8h7.stackpathcdn.com	151.139.128.10	true	false	unknown
www.google.com	142.250.68.68	true	false	high
rocketmortgage.com.ssl.sc.omtrdc.net	63.140.36.121	true	false	unknown
static-msql-prod.refinance.quickenloans.com	104.18.12.43	true	false	high
www.npvnt7trk.com	34.36.162.171	true	false	unknown
cdn.mortgage.quickenloans.com	104.18.8.75	true	false	high
star-mini.c10r.facebook.com	31.13.70.36	true	false	high
android.l.google.com	142.250.72.174	true	false	high
us-u.openx.net	34.98.64.218	true	false	high
script.anura.io	52.12.119.177	true	false	unknown
sc-static.net	52.84.244.253	true	false	unknown
refinance.quickenloans.com	104.18.12.43	true	false	high
detgh1asa1dg4.cloudfront.net	18.164.174.129	true	false	high
www.lmbahsj2.com	35.201.76.131	true	false	unknown
dualstack.reddit.map.fastly.net	151.101.193.140	true	false	unknown
analytics-alv.google.com	216.239.38.181	true	false	high
prod.pinterest.global.map.fastly.net	151.101.128.84	true	false	unknown
cs-cdn.deviceatlas.com	3.18.206.181	true	false	high
googleads.g.doubleclick.net	142.250.72.226	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	unknown
dualstack.pinterest.map.fastly.net	146.75.92.84	true	false	unknown
td.doubleclick.net	142.250.176.2	true	false	high
clients.l.google.com	142.250.176.14	true	false	high
api.pushnami.com	18.154.206.105	true	false	high
static.cloudflareinsights.com	104.16.56.101	true	false	unknown
pug-sv3c.pubmnet.com	204.237.133.120	true	false	unknown
prod-ems-app-elb-01-1227721391.us-west-2.elb.amazonaws.com	52.11.71.220	true	false	high
spdc-global.pbp.gysm.yahoodns.net	98.137.11.144	true	false	unknown
d2bempapugykx0.cloudfront.net	18.164.174.59	true	false	high
scontent.xx.fbcdn.net	31.13.70.7	true	false	high
demdex.net.ssl.sc.omtrdc.net	63.140.36.148	true	false	unknown
gcp.api.sc-gw.com	35.190.43.134	true	false	unknown
pixel.tapad.com	34.111.113.62	true	false	high
fonts.cdnfonts.com	172.64.132.22	true	false	unknown
accounts.google.com	142.250.176.13	true	false	high
ads.revjet.com	15.204.44.78	true	false	high
s.amazon-adsystem.com	52.46.128.147	true	false	high
psp.pushnami.com	52.23.4.238	true	false	high
trc.pushnami.com	44.215.12.4	true	false	high
content.refinance.quickenloans.com	104.18.13.43	true	false	high
g7j5m5i6.stackpathcdn.com	151.139.128.10	true	false	unknown
dsum-sec.casalemedia.com	104.18.26.193	true	false	high
www.datadoghq-browser-agent.com	18.164.178.211	true	false	unknown
trackpixel.refinance.quickenloans.com	104.18.13.43	true	false	high
widget.trustpilot.com	18.154.132.124	true	false	high
dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com	52.39.147.20	true	false	high
ib.anycast.adnxs.com	104.254.151.36	true	false	high
edge.gycpi.b.yahoodns.net	209.73.190.11	true	false	unknown
pug-sfo-bc.pubmnet.com	104.36.113.107	true	false	unknown
alb.reddit.com	unknown	unknown	false	high
tr.snapchat.com	unknown	unknown	false	high
cdn1.lockerdomecdn.com	unknown	unknown	false	high
cm.everesttech.net	unknown	unknown	false	high
pixel.everesttech.net	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
adobedc.demdex.net	unknown	unknown	false	high
somni.rocketmortgage.com	unknown	unknown	false	high
www.redditstatic.com	unknown	unknown	false	high
assets.adobedtm.com	unknown	unknown	false	high
pixel.rubiconproject.com	unknown	unknown	false	high
echo4.bluehornet.com	unknown	unknown	false	high
trc.taboola.com	unknown	unknown	false	high
b-code.liadm.com	unknown	unknown	false	high
connect.facebook.net	unknown	unknown	false	high
s.yimg.com	unknown	unknown	false	high
cdn.taboola.com	unknown	unknown	false	high
sync-tm.everesttech.net	unknown	unknown	false	high
pixel.mathtag.com	unknown	unknown	false	high
sp.analytics.yahoo.com	unknown	unknown	false	high
quicken.demdex.net	unknown	unknown	false	high
cdn1.decide.dev	unknown	unknown	false	unknown
ct.pinterest.com	unknown	unknown	false	high
ads.yahoo.com	unknown	unknown	false	high
image2.pubmatic.com	unknown	unknown	false	high
dpm.demdex.net	unknown	unknown	false	high
aa.agkn.com	unknown	unknown	false	high
c.pmsrv.co	unknown	unknown	false	high
clients1.google.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
navapi-lb.lowermybills.com	unknown	unknown	false	high
s.pinimg.com	unknown	unknown	false	high
analytics.google.com	unknown	unknown	false	high
ib.adnxs.com	unknown	unknown	false	high
sync.search.spotxchange.com	unknown	unknown	false	high
www.rockomni.com	unknown	unknown	false	unknown
rp.liadm.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r	false	high
about:srcdoc	false	low
https://api.pushnami.com/scripts/v1/hub	false	high
https://refinance.quickenloans.com/?pkey1=809&pkey2=2&pkey3=42890da93af048dfbf5f25085bec81c3&sourceid=lmb-54867-113582-809&sid=9&cmpid=9&crtid=&oid=9&affid=809&_ef_transaction_id=42890da93af048dfbf5f25085bec81c3	false	high
https://tr.snapchat.com/cm/i?pid=409e6a74-8d7f-465e-87b0-cc6eb99f3a76&u_scsid=69d3e808-b7cb-400e-a94b-e37f3f82c37c&u_sclid=9d4bf7f8-1726-4ce4-8ae2-dd0c5e6decd4	false	high
https://quicken.demdex.net/dest5.html?d_nsid=0#https%3A%2F%2Frefinance.quickenloans.com	false	high
https://widget.trustpilot.com/trustboxes/53aa8912dec7e10d38f59f36/index.html?templateId=53aa8912dec7e10d38f59f36&businessunitId=4bed9e1a00006400050b9bca#locale=en-US&styleHeight=130px&styleWidth=100%25&theme=light&stars=5	false	high
https://pixel.mathtag.com/sync/iframe?mt_uuid=6c216524-3ebc-4200-85c3-4c0d4ae6e6c1&no_iframe=1&mt_adid=245296&source=mathtag	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.64.132.22	fonts.cdnfonts.com	United States	13335	CLOUDFLARENETUS	false
184.26.157.112	unknown	United States	16625	AKAMAI-ASUS	false
142.250.68.68	www.google.com	United States	15169	GOOGLEUS	false
151.101.128.84	prod.pinterest.global.map.fastly.net	United States	54113	FASTLYUS	false
142.250.176.14	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.176.13	accounts.google.com	United States	15169	GOOGLEUS	false
151.101.193.140	dualstack.reddit.map.fastly.net	United States	54113	FASTLYUS	false
52.12.119.177	script.anura.io	United States	16509	AMAZON-02US	false
18.164.174.129	detgh1asa1dg4.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
151.101.65.140	unknown	United States	54113	FASTLYUS	false
54.191.115.213	unknown	United States	16509	AMAZON-02US	false
63.140.36.148	demdex.net.ssl.sc.omtrdc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
151.101.193.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
31.13.70.36	star-mini.c10r.facebook.com	Ireland	32934	FACEBOOKUS	false
157.240.11.35	unknown	United States	32934	FACEBOOKUS	false
52.39.147.20	dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
151.101.65.44	unknown	United States	54113	FASTLYUS	false
151.101.192.84	unknown	United States	54113	FASTLYUS	false
18.154.132.87	unknown	United States	16509	AMAZON-02US	false
107.6.88.62	pix.revjet.com	United States	29791	VOXEL-DOT-NETUS	false
216.239.38.181	analytics-alv.google.com	United States	15169	GOOGLEUS	false
104.254.151.36	ib.anycast.adnxs.com	United States	29990	ASN-APPNEXUS	false
18.65.25.6	d20qwf0wrdtevy.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
18.154.206.105	api.pushnami.com	United States	16509	AMAZON-02US	false
18.164.174.59	d2bempapugykx0.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
63.140.36.121	rocketmortgage.com.ssl.sc.omtrdc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
142.250.188.227	unknown	United States	15169	GOOGLEUS	false
23.208.10.21	unknown	United States	33662	CMCSUS	false
104.18.12.43	static-msql-prod.refinance.quickenloans.com	United States	13335	CLOUDFLARENETUS	false
142.250.72.168	unknown	United States	15169	GOOGLEUS	false
172.217.14.67	unknown	United States	15169	GOOGLEUS	false
23.62.176.208	unknown	United States	3257	GTT-BACKBONEGTTDE	false
35.190.43.134	gcp.api.sc-gw.com	United States	15169	GOOGLEUS	false
104.18.26.193	dsum-sec.casalemedia.com	United States	13335	CLOUDFLARENETUS	false
209.73.190.12	unknown	United States	36229	YAHOO-YSM-SC8US	false
52.84.244.253	sc-static.net	United States	16509	AMAZON-02US	false
104.254.148.251	unknown	United States	29990	ASN-APPNEXUS	false
204.237.133.120	pug-sv3c.pubmnet.com	United States	62713	AS-PUBMATICUS	false
3.18.206.181	cs-cdn.deviceatlas.com	United States	16509	AMAZON-02US	false
209.73.190.11	edge.gycpi.b.yahoodns.net	United States	36229	YAHOO-YSM-SC8US	false
35.167.52.199	stun.anura.io	United States	16509	AMAZON-02US	false
151.101.129.140	reddit.map.fastly.net	United States	54113	FASTLYUS	false
98.137.11.144	spdc-global.pbp.gysm.yahoodns.net	United States	36647	YAHOO-GQ1US	false
142.250.72.174	android.l.google.com	United States	15169	GOOGLEUS	false
63.140.36.139	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
52.35.189.231	unknown	United States	16509	AMAZON-02US	false
52.11.71.220	prod-ems-app-elb-01-1227721391.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
142.250.72.234	unknown	United States	15169	GOOGLEUS	false
52.6.65.93	livepixel-production.bln.liveintent.com	United States	14618	AMAZON-AESUS	false
52.46.128.147	s.amazon-adsystem.com	United States	16509	AMAZON-02US	false
142.250.101.157	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.176.2	td.doubleclick.net	United States	15169	GOOGLEUS	false
18.154.206.9	unknown	United States	16509	AMAZON-02US	false
151.101.66.49	unknown	United States	54113	FASTLYUS	false
52.39.106.225	unknown	United States	16509	AMAZON-02US	false
142.250.72.226	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
44.215.12.4	trc.pushnami.com	United States	14618	AMAZON-AESUS	false
184.72.239.108	unknown	United States	14618	AMAZON-AESUS	false
74.125.137.188	mobile-gtalk.l.google.com	United States	15169	GOOGLEUS	false
35.82.171.163	unknown	United States	237	MERIT-AS-14US	false
13.33.21.14	ads.anura.io	United States	16509	AMAZON-02US	false
54.68.218.135	unknown	United States	16509	AMAZON-02US	false
18.154.132.124	widget.trustpilot.com	United States	16509	AMAZON-02US	false
63.140.36.117	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
52.43.151.139	unknown	United States	16509	AMAZON-02US	false
172.217.14.98	unknown	United States	15169	GOOGLEUS	false
8.39.36.142	unknown	United States	26667	RUBICONPROJECTUS	false
104.18.13.43	content.refinance.quickenloans.com	United States	13335	CLOUDFLARENETUS	false
8.39.36.141	unknown	United States	26667	RUBICONPROJECTUS	false
151.101.64.84	unknown	United States	54113	FASTLYUS	false
104.16.56.101	static.cloudflareinsights.com	United States	13335	CLOUDFLARENETUS	false
15.204.44.78	ads.revjet.com	United States	71	HP-INTERNET-ASUS	false
18.154.206.43	unknown	United States	16509	AMAZON-02US	false
96.7.140.207	unknown	United States	21342	AKAMAI-ASN2EU	false
35.201.76.131	www.lmbahsj2.com	United States	15169	GOOGLEUS	false
142.250.68.4	unknown	United States	15169	GOOGLEUS	false
104.18.27.193	unknown	United States	13335	CLOUDFLARENETUS	false
52.23.4.238	psp.pushnami.com	United States	14618	AMAZON-AESUS	false
54.164.67.84	unknown	United States	14618	AMAZON-AESUS	false
104.36.113.107	pug-sfo-bc.pubmnet.com	United States	62713	AS-PUBMATICUS	false
104.18.8.75	cdn.mortgage.quickenloans.com	United States	13335	CLOUDFLARENETUS	false
142.250.68.2	cm.g.doubleclick.net	United States	15169	GOOGLEUS	false
34.111.113.62	pixel.tapad.com	United States	15169	GOOGLEUS	false
34.36.162.171	www.npvnt7trk.com	United States	2686	ATGS-MMD-ASUS	false
18.164.178.211	www.datadoghq-browser-agent.com	United States	3	MIT-GATEWAYSUS	false
142.250.217.131	unknown	United States	15169	GOOGLEUS	false
151.101.129.44	dualstack.tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
34.98.64.218	us-u.openx.net	United States	15169	GOOGLEUS	false
31.13.70.7	scontent.xx.fbcdn.net	Ireland	32934	FACEBOOKUS	false
54.69.69.48	unknown	United States	16509	AMAZON-02US	false
52.46.151.131	unknown	United States	16509	AMAZON-02US	false
151.139.128.10	q4e6t8h7.stackpathcdn.com	United States	20446	HIGHWINDS3US	false
142.250.72.130	unknown	United States	15169	GOOGLEUS	false
146.75.92.84	dualstack.pinterest.map.fastly.net	Sweden	30051	SCCGOVUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1322363
Start date and time:	2023-10-09 19:55:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@22/249@221/991

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.250.188.227, 34.104.35.123
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r

Source: https://refinance.quickenloans.com/?pkey1=809&pkey2=2&pkey3=42890da93af048dfbf5f25085bec81c3&sourceid=lmb-54867-113582-809&sid=9&cmpid=9&crtid=&oid=9&affid=809&_ef_transaction_id=42890da93af048dfbf5f25085bec81c3	HTTP Parser: No favicon
Source: https://widget.trustpilot.com/trustboxes/53aa8912dec7e10d38f59f36/index.html?templateId=53aa8912dec7e10d38f59f36&businessunitId=4bed9e1a00006400050b9bca#locale=en-US&styleHeight=130px&styleWidth=100%25&theme=light&stars=5	HTTP Parser: No favicon
Source: https://api.pushnami.com/scripts/v1/hub	HTTP Parser: No favicon
Source: https://tr.snapchat.com/cm/i?pid=409e6a74-8d7f-465e-87b0-cc6eb99f3a76&u_scsid=69d3e808-b7cb-400e-a94b-e37f3f82c37c&u_sclid=9d4bf7f8-1726-4ce4-8ae2-dd0c5e6decd4	HTTP Parser: No favicon
Source: https://pixel.mathtag.com/sync/iframe?mt_uuid=6c216524-3ebc-4200-85c3-4c0d4ae6e6c1&no_iframe=1&mt_adid=245296&source=mathtag	HTTP Parser: No favicon
Source: https://refinance.quickenloans.com/?pkey1=809&pkey2=2&pkey3=42890da93af048dfbf5f25085bec81c3&sourceid=lmb-54867-113582-809&sid=9&cmpid=9&crtid=&oid=9&affid=809&_ef_transaction_id=42890da93af048dfbf5f25085bec81c3	HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 9 16:55:55 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9807348022898768
Encrypted:	false
SSDEEP:
MD5:	5CE983A6280B69068F343C1AE03C8CF7
SHA1:	E19544C7D3DA93AFA1E40A8A515EE4A87874B873
SHA-256:	DAAA5D7EBE1E5B0643518C2140219030F6F4D27DDA0331F77319736AFC0CF762
SHA-512:	06388F19DCA878848EF8D73F555BC1D2303A0D3C4CCF483AAC9B4A7557C628662004E7B880ED052572380B3C6C00F0078782D63828B714D6F4D0259150B83668
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....?3......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IIW.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VIW......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VIW......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VIW............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VIW.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........:.4H.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2394)
Category:	downloaded
Size (bytes):	2617
Entropy (8bit):	5.823531728269388
Encrypted:	false
SSDEEP:
MD5:	2494428232BBD713AD61E54852AC7880
SHA1:	4FC93CE3A285AFF280504CA31B400BBE83AB0E4E
SHA-256:	64D675C839C1F1385D56346EFB8B29671E5F8F6DAC9F521AB389FB13CE984504
SHA-512:	E23F791BB60231409D35F9F28379B5C87AB70B9D6576A3C82B36E1A8E606C979867CA5ABCD3B455FDB1C2BC2D5DA9A8E5C62127693036DB1E87B1BEED65B14D2
Malicious:	false
Reputation:	low
URL:	https://googleads.g.doubleclick.net/pagead/viewthroughconversion/966730890/?random=1696874167340&cv=11&fst=1696874167340&bg=ffffff&guid=ON&async=1&gtm=45be3a40&u_w=1280&u_h=1024&url=https%3A%2F%2Frefinance.quickenloans.com%2F%3Fpkey1%3D809%26pkey2%3D2%26pkey3%3D42890da93af048dfbf5f25085bec81c3%26sourceid%3Dlmb-54867-113582-809%26sid%3D9%26cmpid%3D9%26crtid%3D%26oid%3D9%26affid%3D809%26_ef_transaction_id%3D42890da93af048dfbf5f25085bec81c3&hn=www.googleadservices.com&frm=0&tiba=Refinance%20Mortgage%2C%20Refinancing%20Rates%2C%20Mortgage%20Rates&auid=827160414.1696874167&fledge=1&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.132%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.132&uamb=0&uap=Windows&uapv=10.0.0&uaw=0&data=event%3Dgtag.config&rfmt=3&fmt=4
Preview:	(function(){var s = {};(function(){var e={};/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var f=this\|\|self;var g,k;a:{for(var l=["CLOSURE_FLAGS"],p=f,q=0;q<l.length;q++)if(p=p[l[q]],null==p){k=null;break a}k=p}var r=k&&k[610401301];g=null!=r?r:!1;var t,v=f.navigator;t=v?v.userAgentData\|\|null:null;function w(d){return g?t?t.brands.some(function(a){return(a=a.brand)&&-1!=a.indexOf(d)}):!1:!1}function x(d){var a;a:{if(a=f.navigator)if(a=a.userAgent)break a;a=""}return-1!=a.indexOf(d)};function y(){return g?!!t&&0<t.brands.length:!1}function z(){return y()?w("Chromium"):(x("Chrome")\|\|x("CriOS"))&&!(y()?0:x("Edge"))\|\|x("Silk")};!x("Android")\|\|z();z();!x("Safari")\|\|z()\|\|(y()?0:x("Coast"))\|\|(y()?0:x("Opera"))\|\|(y()?0:x("Edge"))\|\|(y()?w("Microsoft Edge"):x("Edg/"))\|\|y()&&w("Opera");var A=/#\|$/;function B(d){var a=d.search(A),b;a:{for(b=0;0<=(b=d.indexOf("fmt",b))&&b<a;){var c=d.charCodeAt(b-1);if(38==c\|\|63==c)if(c=d.charCodeAt(b+3),!c\|\|61==c\|\|38==c\|\|35==c)br

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (64347)
Category:	downloaded
Size (bytes):	202266
Entropy (8bit):	5.451235405459401
Encrypted:	false
SSDEEP:
MD5:	7795E34265E63DFAAA321067F3C7EAE6
SHA1:	FD58077E7189D5385B89DE051005B28CDE12072A
SHA-256:	805270B078CDE87B61BB57C8BD44F8B58B0D128F5A8EFDD4395470B45B291D65
SHA-512:	ACAF0627DF9B778899CEA96699E2FCFDD845BF5EC7E9F4BE938D2752673D8C92C188FE7F717EB2FF86D26B878D50ED11FE0110182CB16D3F75A3E84C8B701DEE
Malicious:	false
Reputation:	low
URL:	https://connect.facebook.net/en_US/fbevents.js
Preview:	/*. Copyright (c) 2017-present, Facebook, Inc. All rights reserved... You are hereby granted a non-exclusive, worldwide, royalty-free license to use,.* copy, modify, and distribute this software in source code or binary form for use.* in connection with the web services and APIs provided by Facebook... As with any software that integrates with the Facebook platform, your use of.* this software is subject to the Facebook Platform Policy.* [http://developers.facebook.com/policy/]. This copyright notice shall be.* included in all copies or substantial portions of the software... THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS.* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR.* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER.* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN.* CONNECTION WI

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (4179)
Category:	downloaded
Size (bytes):	209374
Entropy (8bit):	5.552981505271921
Encrypted:	false
SSDEEP:
MD5:	E7BC47344916878D431BA6F7F1D9F284
SHA1:	9750F085B9440269AD647F7759DAE7545A80B73E
SHA-256:	36E968B5EB5D63358A140542285EB232C7B62F7E24E1260EAA58C27C3E33E756
SHA-512:	F6BCFADDAA5C62AEFA4BA8A8EA066D6A99AA8323FDEA8BDCE5BAAE8788F912676EEE7C461E8FAC07F8028F1B71B516D64B90F95982047BF525EE04F11B5FA81F
Malicious:	false
Reputation:	low
URL:	https://www.googletagmanager.com/gtag/js?id=AW-857412364
Preview:	.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"1",. . "macros":[{"function":"__e"}],. "tags":[{"function":"__ogt_ads_datatos","priority":14,"vtp_instanceDestinationId":"AW-857412364","tag_id":8},{"function":"__ogt_1p_data_v2","priority":4,"vtp_isAutoEnabled":true,"vtp_autoCollectExclusionSelectors":["list",["map","exclusionSelector",""]],"vtp_isEnabled":true,"vtp_autoEmailEnabled":true,"vtp_autoPhoneEnabled":false,"vtp_autoAddressEnabled":false,"vtp_isAutoCollectPiiEnabledFlag":false,"tag_id":4},{"function":"__ccd_ads_first","priority":3,"vtp_instanceDestinationId":"AW-857412364","tag_id":9},{"function":"__ccd_pre_auto_pii","priority":1,"vtp_instanceDestinationId":"AW-857412364","tag_id":7},{"function":"__rep","vtp_containerId":"AW-857412364","vtp_remoteConfig":["map","enhanced_conversions",["map","QQP7CPzToPoCEIym7JgD",["map","enhanced_conversions_mode","off","enhanced_conversions_automatic_settings",["map"]],"f39_CPHsovo

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2393)
Category:	downloaded
Size (bytes):	2616
Entropy (8bit):	5.826219613719443
Encrypted:	false
SSDEEP:
MD5:	CD4D42914673A4D31393B8E949C363F7
SHA1:	D41C1BF1D440EC0487AEEC7480574B7C861EB0AD
SHA-256:	6723073490DC6079941C923C5B9BFF57689C52F939C7E69A5BC432026649911A
SHA-512:	50B8B34B1E39A6CC6B65ECEB604D2F17C6F1B06D3E29DFAD96E7C42B68064046E1C1967F7F0388B9B1197AAD08B67381BBDB090F0029E52DDC7F5C7441B11EB1
Malicious:	false
Reputation:	low
URL:	https://googleads.g.doubleclick.net/pagead/viewthroughconversion/857412364/?random=1696874171399&cv=11&fst=1696874171399&bg=ffffff&guid=ON&async=1&gtm=45be3a40&u_w=1280&u_h=1024&url=https%3A%2F%2Frefinance.quickenloans.com%2F%3Fpkey1%3D809%26pkey2%3D2%26pkey3%3D42890da93af048dfbf5f25085bec81c3%26sourceid%3Dlmb-54867-113582-809%26sid%3D9%26cmpid%3D9%26crtid%3D%26oid%3D9%26affid%3D809%26_ef_transaction_id%3D42890da93af048dfbf5f25085bec81c3&hn=www.googleadservices.com&frm=0&tiba=Refinance%20Mortgage%2C%20Refinancing%20Rates%2C%20Mortgage%20Rates&auid=827160414.1696874167&fledge=1&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.132%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.132&uamb=0&uap=Windows&uapv=10.0.0&uaw=0&data=event%3Dgtag.config&rfmt=3&fmt=4
Preview:	(function(){var s = {};(function(){var e={};/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var f=this\|\|self;var g,k;a:{for(var l=["CLOSURE_FLAGS"],p=f,q=0;q<l.length;q++)if(p=p[l[q]],null==p){k=null;break a}k=p}var r=k&&k[610401301];g=null!=r?r:!1;var t,v=f.navigator;t=v?v.userAgentData\|\|null:null;function w(d){return g?t?t.brands.some(function(a){return(a=a.brand)&&-1!=a.indexOf(d)}):!1:!1}function x(d){var a;a:{if(a=f.navigator)if(a=a.userAgent)break a;a=""}return-1!=a.indexOf(d)};function y(){return g?!!t&&0<t.brands.length:!1}function z(){return y()?w("Chromium"):(x("Chrome")\|\|x("CriOS"))&&!(y()?0:x("Edge"))\|\|x("Silk")};!x("Android")\|\|z();z();!x("Safari")\|\|z()\|\|(y()?0:x("Coast"))\|\|(y()?0:x("Opera"))\|\|(y()?0:x("Edge"))\|\|(y()?w("Microsoft Edge"):x("Edg/"))\|\|y()&&w("Opera");var A=/#\|$/;function B(d){var a=d.search(A),b;a:{for(b=0;0<=(b=d.indexOf("fmt",b))&&b<a;){var c=d.charCodeAt(b-1);if(38==c\|\|63==c)if(c=d.charCodeAt(b+3),!c\|\|61==c\|\|38==c\|\|35==c)br

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 158

Chrome Cache Entry: 159

Chrome Cache Entry: 160

Chrome Cache Entry: 161

Chrome Cache Entry: 163

Chrome Cache Entry: 165

Chrome Cache Entry: 166

Chrome Cache Entry: 167

Chrome Cache Entry: 168

Chrome Cache Entry: 169

Chrome Cache Entry: 170

Chrome Cache Entry: 171

Chrome Cache Entry: 172

Chrome Cache Entry: 174

Chrome Cache Entry: 175

Chrome Cache Entry: 176

Chrome Cache Entry: 178

Chrome Cache Entry: 179

Chrome Cache Entry: 180

Chrome Cache Entry: 181

Chrome Cache Entry: 183

Chrome Cache Entry: 184

Chrome Cache Entry: 185

Chrome Cache Entry: 187

Chrome Cache Entry: 189

Chrome Cache Entry: 190

Chrome Cache Entry: 193

Windows Analysis Report
http://echo4.bluehornet.com/ct/102382314:7iRrY3GNo:m:1:3704804765:08FA3081E51DED790A08854867171A03:r