Play interactive tourEdit tour

Windows Analysis Report
https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdod

Overview

General Information

Sample URL:	https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjA
Analysis ID:	1369908
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic

Creates files inside the system directory

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Classification

×

Joe Sandbox Signatures

• • AV Detection
• • Phishing
• • Compliance
• • Networking
• • System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29t

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Phishing

HTML body contains low number of good links

Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com

HTTP Parser: Title: Outlook Web Access does not match URL

HTML body contains password input

Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com

HTTP Parser: <input type="password" .../> found

HTML page is missing a favicon

Source: https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29t	HTTP Parser: No favicon
Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com	HTTP Parser: No favicon

META author tag missing

Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com

HTTP Parser: No <meta name="author".. found

META copyright tag missing

Source: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.html#sknight@dntlworks.com

HTTP Parser: No <meta name="copyright".. found

Compliance

Creates a directory in C:\Program Files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 23.220.120.109:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.120.109:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49765 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2024395 ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL 104.18.2.35:443 -> 192.168.2.4:49748

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.220.120.109
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.21
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.21
Source: unknown	TCP traffic detected without corresponding DNS query: 23.207.202.21

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29t HTTP/1.1Host: trk-mkt.tason.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/no_img.gif HTTP/1.1Host: trk-mkt.tason.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29tAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/no_img.gif HTTP/1.1Host: trk-mkt.tason.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29t HTTP/1.1Host: lunarlatam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://trk-mkt.tason.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: lunarlatam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29tAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sever%20owa.html HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://lunarlatam.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /Content/images/icons/24/warning-orange_24.png HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /content/font/dinot-webfont.woff HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /content/font/dinot-medium-webfont.woff HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /content/font/opensans-regular-webfont.woff HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Content/images/icons/16/info-white_16.svg HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /content/font/dinot-medium-webfont.ttf HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /content/font/opensans-regular-webfont.ttf HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /content/font/dinot-webfont.ttf HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: pub-87daf7836ec541dcbbb28a3cba66706a.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-87daf7836ec541dcbbb28a3cba66706a.r2.dev/sever%20owa.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7ae9GkPDKphAhcy&MD=ewtscRoy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7ae9GkPDKphAhcy&MD=ewtscRoy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:11 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504e6e8112420-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:11 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504e94c8907fa-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:12 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504e95de9590e-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:12 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504e908ab81eb-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:12 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504e9597682f9-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:12 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504ecbc7d59df-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:12 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504ece9cb12b9-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:12 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504eceec205e0-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jan 2024 16:57:13 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 840504f0db048230-IAD

URLs found in memory or binary data

Source: chromecache_53.2.dr	String found in binary or memory: http://outdatedbrowser.com/en
Source: chromecache_55.2.dr	String found in binary or memory: http://www.google-analytics.com
Source: chromecache_53.2.dr	String found in binary or memory: https://abfconstrucciones.com/ssz/owa.serverdata.net.php
Source: chromecache_53.2.dr	String found in binary or memory: https://controlpanel.serverdata.net/Portal/ADUser/Login
Source: chromecache_56.2.dr, chromecache_48.2.dr, chromecache_51.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_55.2.dr	String found in binary or memory: https://ssl.google-analytics.com
Source: chromecache_55.2.dr	String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: chromecache_55.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: chromecache_56.2.dr, chromecache_48.2.dr, chromecache_51.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico
Source: chromecache_55.2.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: chromecache_55.2.dr	String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 23.220.120.109:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.220.120.109:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49765 version: TLS 1.2

System Summary

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_1260_1151443278

Jump to behavior

Classification label

Source: classification engine

Classification label: mal56.win@18/9@16/7

Creates files inside the program directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2484,i,6627374886550884005,9915346450306484019,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://lunarlatam.com/package/baggage/W39blJXO0eiHWwH/c2tuaWdodEBkbnRsd29ya3MuY29t
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2484,i,6627374886550884005,9915346450306484019,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a directory in C:\Program Files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior

Click here to start
Slideshow Behavior Animation