Edit tour

Windows Analysis Report
http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com

Overview

General Information

Sample URL:	http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com
Analysis ID:	1447263
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1892,i,62843956981060036,4939168404260718546,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com

Avira URL Cloud: detection malicious, Label: phishing

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49716 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.16:62398 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.209.182
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=k7+ccPnv+M53ByL&MD=Tu7U6NTy HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=k7+ccPnv+M53ByL&MD=Tu7U6NTy HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: sets.json.0.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.0.dr	String found in binary or memory: https://alice.tw
Source: sets.json.0.dr	String found in binary or memory: https://autobild.de
Source: sets.json.0.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.0.dr	String found in binary or memory: https://bild.de
Source: sets.json.0.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.0.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.0.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.0.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.0.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.0.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.0.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.0.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.0.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.0.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.0.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.0.dr	String found in binary or memory: https://chennien.com
Source: sets.json.0.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.0.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.0.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.0.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.0.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.0.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.0.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.0.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.0.dr	String found in binary or memory: https://een.be
Source: sets.json.0.dr	String found in binary or memory: https://efront.com
Source: sets.json.0.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.0.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.0.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.0.dr	String found in binary or memory: https://ella.sv
Source: sets.json.0.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.0.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.0.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.0.dr	String found in binary or memory: https://finn.no
Source: sets.json.0.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.0.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.0.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.0.dr	String found in binary or memory: https://grid.id
Source: sets.json.0.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.0.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.0.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.0.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://hapara.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.global
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.0.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.0.dr	String found in binary or memory: https://hearty.app
Source: sets.json.0.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.0.dr	String found in binary or memory: https://hearty.me
Source: sets.json.0.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.0.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.0.dr	String found in binary or memory: https://hj.rs
Source: sets.json.0.dr	String found in binary or memory: https://hjck.com
Source: sets.json.0.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.0.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.0.dr	String found in binary or memory: https://iolam.it
Source: sets.json.0.dr	String found in binary or memory: https://ishares.com
Source: sets.json.0.dr	String found in binary or memory: https://jagran.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.0.dr	String found in binary or memory: https://kompas.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.0.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.0.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.0.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.0.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.0.dr	String found in binary or memory: https://libero.it
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.0.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.0.dr	String found in binary or memory: https://livemint.com
Source: sets.json.0.dr	String found in binary or memory: https://max.auto
Source: sets.json.0.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.0.dr	String found in binary or memory: https://meo.pt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.0.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.0.dr	String found in binary or memory: https://money.pl
Source: sets.json.0.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://nacion.com
Source: sets.json.0.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.co
Source: sets.json.0.dr	String found in binary or memory: https://nien.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.org
Source: sets.json.0.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.0.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.0.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.0.dr	String found in binary or memory: https://o2.pl
Source: sets.json.0.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.0.dr	String found in binary or memory: https://onet.pl
Source: sets.json.0.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.0.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.0.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.0.dr	String found in binary or memory: https://player.pl
Source: sets.json.0.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.0.dr	String found in binary or memory: https://poalim.site
Source: sets.json.0.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.0.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.0.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.0.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.0.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://radio1.be
Source: sets.json.0.dr	String found in binary or memory: https://radio2.be
Source: sets.json.0.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://repid.org
Source: sets.json.0.dr	String found in binary or memory: https://reshim.org
Source: sets.json.0.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.0.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.0.dr	String found in binary or memory: https://samayam.com
Source: sets.json.0.dr	String found in binary or memory: https://sapo.io
Source: sets.json.0.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.0.dr	String found in binary or memory: https://shock.co
Source: sets.json.0.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.0.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.0.dr	String found in binary or memory: https://songshare.com
Source: sets.json.0.dr	String found in binary or memory: https://songstats.com
Source: sets.json.0.dr	String found in binary or memory: https://sporza.be
Source: sets.json.0.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.0.dr	String found in binary or memory: https://stripe.com
Source: sets.json.0.dr	String found in binary or memory: https://stripe.network
Source: sets.json.0.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.0.dr	String found in binary or memory: https://supereva.it
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.0.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.0.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.0.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.0.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.0.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://tvid.in
Source: sets.json.0.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.0.dr	String found in binary or memory: https://unotv.com
Source: sets.json.0.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.0.dr	String found in binary or memory: https://vrt.be
Source: sets.json.0.dr	String found in binary or memory: https://vwo.com
Source: sets.json.0.dr	String found in binary or memory: https://welt.de
Source: sets.json.0.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.0.dr	String found in binary or memory: https://wildix.com
Source: sets.json.0.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.0.dr	String found in binary or memory: https://wingify.com
Source: sets.json.0.dr	String found in binary or memory: https://wordle.at
Source: sets.json.0.dr	String found in binary or memory: https://wp.pl
Source: sets.json.0.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.0.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.0.dr	String found in binary or memory: https://ya.ru
Source: sets.json.0.dr	String found in binary or memory: https://zalo.me
Source: sets.json.0.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://zingmp3.vn

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62401

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49716 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\cr_en-us_500000_index.bin	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\keys.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_3548_464227611

Jump to behavior

Source: classification engine

Classification label: mal48.win@22/24@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1892,i,62843956981060036,4939168404260718546,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1892,i,62843956981060036,4939168404260718546,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com	100%	Avira URL Cloud	phishing

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://wieistmeineip.de	0%	Avira URL Cloud	safe
https://mercadoshops.com.br	0%	Avira URL Cloud	safe
https://gliadomain.com	0%	Avira URL Cloud	safe
https://poalim.xyz	0%	Avira URL Cloud	safe
https://medonet.pl	0%	Avira URL Cloud	safe
https://unotv.com	0%	Avira URL Cloud	safe
https://nourishingpursuits.com	0%	Avira URL Cloud	safe
https://joyreactor.cc	0%	Avira URL Cloud	safe
https://mercadolivre.com	0%	Avira URL Cloud	safe
https://mercadoshops.com.co	0%	Avira URL Cloud	safe
https://elfinancierocr.com	0%	Avira URL Cloud	safe
https://reshim.org	0%	Avira URL Cloud	safe
https://supereva.it	0%	Avira URL Cloud	safe
https://bolasport.com	0%	Avira URL Cloud	safe
https://rws1nvtvt.com	0%	Avira URL Cloud	safe
https://baomoi.com	0%	Avira URL Cloud	safe
https://songstats.com	0%	Avira URL Cloud	safe
https://mercadoshops.com	0%	Avira URL Cloud	safe
https://hearty.app	0%	Avira URL Cloud	safe
https://zdrowietvn.pl	0%	Avira URL Cloud	safe
https://hearty.gift	0%	Avira URL Cloud	safe
https://desimartini.com	0%	Avira URL Cloud	safe
https://heartymail.com	0%	Avira URL Cloud	safe
https://radio2.be	0%	Avira URL Cloud	safe
https://finn.no	0%	Avira URL Cloud	safe
https://hc1.com	0%	Avira URL Cloud	safe
https://mystudentdashboard.com	0%	Avira URL Cloud	safe
https://mercadopago.com.mx	0%	Avira URL Cloud	safe
https://songshare.com	0%	Avira URL Cloud	safe
https://kompas.tv	0%	Avira URL Cloud	safe
https://cardsayings.net	0%	Avira URL Cloud	safe
https://mercadopago.com.pe	0%	Avira URL Cloud	safe
https://talkdeskqaid.com	0%	Avira URL Cloud	safe
https://mightytext.net	0%	Avira URL Cloud	safe
https://pudelek.pl	0%	Avira URL Cloud	safe
https://joyreactor.com	0%	Avira URL Cloud	safe
https://cookreactor.com	0%	Avira URL Cloud	safe
https://wildixin.com	0%	Avira URL Cloud	safe
https://bonvivir.com	0%	Avira URL Cloud	safe
https://eworkbookcloud.com	0%	Avira URL Cloud	safe
https://chennien.com	0%	Avira URL Cloud	safe
https://nacion.com	0%	Avira URL Cloud	safe
https://talkdeskstgid.com	0%	Avira URL Cloud	safe
https://mercadopago.cl	0%	Avira URL Cloud	safe
https://carcostadvisor.be	0%	Avira URL Cloud	safe
https://salemovetravel.com	0%	Avira URL Cloud	safe
https://sapo.io	0%	Avira URL Cloud	safe
https://wpext.pl	0%	Avira URL Cloud	safe
https://poalim.site	0%	Avira URL Cloud	safe
https://blackrockadvisorelite.it	0%	Avira URL Cloud	safe
https://welt.de	0%	Avira URL Cloud	safe
https://cafemedia.com	0%	Avira URL Cloud	safe
https://mercadoshops.com.ar	0%	Avira URL Cloud	safe
https://elpais.uy	0%	Avira URL Cloud	safe
https://landyrev.com	0%	Avira URL Cloud	safe
https://commentcamarche.com	0%	Avira URL Cloud	safe
https://rws3nvtvt.com	0%	Avira URL Cloud	safe
https://tucarro.com.ve	0%	Avira URL Cloud	safe
https://mercadolivre.com.br	0%	Avira URL Cloud	safe
https://eleconomista.net	0%	Avira URL Cloud	safe
https://salemovefinancial.com	0%	Avira URL Cloud	safe
https://standardsandpraiserepurpose.com	0%	Avira URL Cloud	safe
https://clmbtech.com	0%	Avira URL Cloud	safe
https://mercadopago.com.br	0%	Avira URL Cloud	safe
https://hj.rs	0%	Avira URL Cloud	safe
https://hearty.me	0%	Avira URL Cloud	safe
https://mercadolibre.com.gt	0%	Avira URL Cloud	safe
https://etfacademy.it	0%	Avira URL Cloud	safe
https://commentcamarche.net	0%	Avira URL Cloud	safe
https://mighty-app.appspot.com	0%	Avira URL Cloud	safe
https://timesinternet.in	0%	Avira URL Cloud	safe
https://idbs-staging.com	0%	Avira URL Cloud	safe
https://idbs-eworkbook.com	0%	Avira URL Cloud	safe
https://blackrock.com	0%	Avira URL Cloud	safe
https://mercadolibre.co.cr	0%	Avira URL Cloud	safe
https://hjck.com	0%	Avira URL Cloud	safe
https://kompas.com	0%	Avira URL Cloud	safe
https://vrt.be	0%	Avira URL Cloud	safe
https://prisjakt.no	0%	Avira URL Cloud	safe
https://idbs-dev.com	0%	Avira URL Cloud	safe
https://mercadolibre.com.hn	0%	Avira URL Cloud	safe
https://mercadolibre.cl	0%	Avira URL Cloud	safe
https://wingify.com	0%	Avira URL Cloud	safe
https://mercadopago.com.ar	0%	Avira URL Cloud	safe
https://player.pl	0%	Avira URL Cloud	safe
https://linternaute.com	0%	Avira URL Cloud	safe
https://een.be	0%	Avira URL Cloud	safe
https://tucarro.com.co	0%	Avira URL Cloud	safe
https://nien.com	0%	Avira URL Cloud	safe
https://punjabijagran.com	0%	Avira URL Cloud	safe
https://tolteck.app	0%	Avira URL Cloud	safe
https://cmxd.com.mx	0%	Avira URL Cloud	safe
https://clarosports.com	0%	Avira URL Cloud	safe
https://grupolpg.sv	0%	Avira URL Cloud	safe
https://rws2nvtvt.com	0%	Avira URL Cloud	safe
https://abczdrowie.pl	0%	Avira URL Cloud	safe
https://landyrev.ru	0%	Avira URL Cloud	safe
https://mercadolibre.com.ve	0%	Avira URL Cloud	safe
https://money.pl	0%	Avira URL Cloud	safe
https://gallito.com.uy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.186.100	true	false		unknown
login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wieistmeineip.de	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.co	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://gliadomain.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://poalim.xyz	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolivre.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://reshim.org	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://nourishingpursuits.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://medonet.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://unotv.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.br	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://joyreactor.cc	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://zdrowietvn.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://songstats.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://baomoi.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://supereva.it	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://elfinancierocr.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://bolasport.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://rws1nvtvt.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://desimartini.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hearty.app	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hearty.gift	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://heartymail.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://radio2.be	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://finn.no	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hc1.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://kompas.tv	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mystudentdashboard.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://songshare.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.mx	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://talkdeskqaid.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.pe	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cardsayings.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mightytext.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://pudelek.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://joyreactor.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cookreactor.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://wildixin.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://eworkbookcloud.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://nacion.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://chennien.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.cl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://talkdeskstgid.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://bonvivir.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://carcostadvisor.be	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://salemovetravel.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://sapo.io	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://wpext.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://welt.de	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://poalim.site	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://blackrockadvisorelite.it	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cafemedia.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadoshops.com.ar	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://elpais.uy	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://landyrev.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://commentcamarche.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://tucarro.com.ve	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://rws3nvtvt.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://eleconomista.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolivre.com.br	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://clmbtech.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://standardsandpraiserepurpose.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://salemovefinancial.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.br	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://commentcamarche.net	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://etfacademy.it	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mighty-app.appspot.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hj.rs	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hearty.me	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.gt	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://timesinternet.in	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://idbs-staging.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://blackrock.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://idbs-eworkbook.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.co.cr	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://hjck.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://vrt.be	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://prisjakt.no	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://kompas.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://idbs-dev.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://wingify.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.cl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://player.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.ar	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.hn	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://linternaute.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://tucarro.com.co	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://landyrev.ru	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://clarosports.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://een.be	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://nien.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://punjabijagran.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://cmxd.com.mx	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://tolteck.app	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://grupolpg.sv	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://rws2nvtvt.com	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://abczdrowie.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://gallito.com.uy	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://money.pl	sets.json.0.dr	false	Avira URL Cloud: safe	unknown
https://mercadolibre.com.ve	sets.json.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.186.100	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447263
Start date and time:	2024-05-24 17:45:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@22/24@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 172.233.160.193, 172.233.160.191, 172.233.160.189, 172.233.160.194, 172.233.160.196, 172.233.160.187, 142.250.185.174, 74.125.133.84, 34.104.35.123, 216.58.206.67, 142.250.186.110
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, us-mia-1.linodeobjects.com.akadns.net, update.googleapis.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:45:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9940524226079104
Encrypted:	false
SSDEEP:	48:8CdRTZtNAHRidAKZdA1FehwiZUklqehny+3:88XkUy
MD5:	1D34CCEBCCFED8F226FA5BCA6E18F376
SHA1:	FFD25F317274ACA08E037F3FF15129084F8073CB
SHA-256:	4C14F5365EF88680757AF9BF41039FA009835BF46D011096F7EB11B8BE7F8A17
SHA-512:	42BD3B8336B59AB1168299D0E4D9AC7741CEAB0A5322DB85319BFD306951499401F9F6A6F85F14BCADC171B4B4D38D68C9203D2329F04BB352012D3D96144DC5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....z.o...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:45:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.008471149621767
Encrypted:	false
SSDEEP:	48:8RdRTZtNAHRidAKZdA1seh/iZUkAQkqehEy+2:81Xa9QVy
MD5:	98CAC83CF527F057F2D61010797A8BD1
SHA1:	78FBA5567B06968FA70CBBEB8AC29D97B8CCFE46
SHA-256:	E287A2AF3BE178E27D4BA6E91FED7F9692A88C2CF59B44A3640D83E82BC2F3BF
SHA-512:	7552B4C7DEA7415155C841C44931F1C02CA637294D40E830B08A0ECD7B637A901CD7D85088AEF85FDCDB9874C955654DB68AF90658973AA999DC46E4B8047AC8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......o...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.017135309997722
Encrypted:	false
SSDEEP:	48:8wdRTZtAHRidAKZdA14meh7sFiZUkmgqeh7sqy+BX:8iXQnwy
MD5:	33855FC996453E5F57294F7E26A19A2C
SHA1:	36E28D3A900EF1A5CCD5F146C45E2B1213E96EBE
SHA-256:	7366417E91E4BE0A53656C48C49AAC3903AA954127B9B32054E23D2D2F98694A
SHA-512:	C23A0D3C42539C2EA3AE12CA1360863FBD74A4E73038D498FF5D6BE22A574025C6938E4BB496D0C29DD0CDB4513A3F9E15B1EB34BCAFA3D86872587D749037DE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:45:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.004711333963497
Encrypted:	false
SSDEEP:	48:8vdRTZtNAHRidAKZdA1TehDiZUkwqehIy+R:8LXRiy
MD5:	6DD5ACA9C4AF91AE40A183B69F3B7A11
SHA1:	5A039461707E5F4E6DECBB7BD38E7ADDAA8B941B
SHA-256:	1B733320FD2B3EE85FE857D41E82871C2D6F27D89310B9DC4B21208E80302DBB
SHA-512:	B69577F3465F4440057C9E70A200C082792C045DA3B5189A4A80CA86DD1589C58EF4D6FCCFFC6DF562B2D8DE321E0D8D7D8E9EECBB9B121169A593B8F34E2F42
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....Y.o...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:45:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9935419172256807
Encrypted:	false
SSDEEP:	48:82dRTZtNAHRidAKZdA1dehBiZUk1W1qehGy+C:8gXR9my
MD5:	D1B41A76C2D689EA71E360C039A5A16C
SHA1:	1C96492EBF94B3D194C9E98D0D6538D29480FA48
SHA-256:	6AC2BA3254378BD4DBC77594AB3813BFB0492FF4A4A12A82781FDB68DF9A1162
SHA-512:	22CC2C63FD6DEEC510CA777CF16DF987DD81565697E17757263501BD31D03EFC730860CBD024EA3057B37C49E2AF4FAD348B0A403882DAE4F493A7029CAACD22
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......o...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 24 14:45:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.006356978342748
Encrypted:	false
SSDEEP:	48:8OdRTZtNAHRidAKZdA1duTeehOuTbbiZUk5OjqehOuTbwy+yT+:84X5TfTbxWOvTbwy7T
MD5:	4B139A77178CE1FB441EFDDAADE6854B
SHA1:	259DE113F4760D7EB51DB47F28902BCAA7801E3A
SHA-256:	7B5565414606398E73ECC292DAD4B323A7C1D28C45CC95F1D38A7C1650C9208C
SHA-512:	4332DA143FCABB70E3E0D649E9EE2E41B2CF297454B4E08EF50EB6DA4CFC5ECE58217EC63F0E7DFB8E727408858A99DC44E176A5F85C0ABF8DA28746907D58BF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......o...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.}....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.}....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.}....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.}..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.}...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............k.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1796
Entropy (8bit):	6.0093168185944865
Encrypted:	false
SSDEEP:	48:p/hNQI1EpFNF7akijXWNM+iFGp/ckGhP9l3:R/hE37azyM+iFGp/cnhll3
MD5:	29CE9329D8886B1F42A1B896B10A0B6E
SHA1:	A9A055BC9A53E70D7BA661F5546DD88C5D9294AB
SHA-256:	AFA4FC5D014466B16D9877B949446C941ADF2A430C74E5AF8B06E6F463488330
SHA-512:	2072E14867469E8EE9D46CDA74010E9B61C3927BC64ADFF14CF011F3CED04BD3C9F8AC075EEBBF146E262E3E7BAD6A6BE6DA51E48B10B6AB8A1C85B4B5D05598
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJjcl9lbi11c181MDAwMDBfaW5kZXguYmluIiwicm9vdF9oYXNoIjoiTnVGTm5CaVJlVUNXLVRrX1ZWT044bFlOaHdRZU1QN1hmMFlYTlp2bkFBVSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJnVzR3Z21pSjh1RkFzRDRNZlAzTk1kN2JNSHd3Y1NzQmVFTUlDeWNZa2FrIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2JlZGJiaGJwbW9qbmthbmljaW9nZ25tZWxtb29tb2MiLCJpdGVtX3ZlcnNpb24iOiIyMDI0MDQwNC42MjU0NzkwMTQuMTQiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"iIjAc7zPpBjXaW1ZRIsdiSkhsALJPPgLJXsSAvknuYhwnGbTQt30a2R3dq6Ip5T93qQyHyEoURPgn1cWV7kvqnC_IIQiExnBr62P1snXFQbQkcFyDs3YDoCRyY-VqUS5axjaoPVVX8lw-0O5JdRWs2AJBIyWCdiSKuzIoCv3Pcj2LwK2wSbYfSPPqvydcsNeALmGd2et--2x7br_RAFOHApN0Mwuxoc3f3KNAO-KJJ79_JQO_aribJmp0r27Q5MRmJ7JtCz-T5e-uiatYS4Um6rN9cCsC-xpRj3Z2prHseav73vPcCnfZJfnswJ

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\cr_en-us_500000_index.bin

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	7926077
Entropy (8bit):	6.569303550834104
Encrypted:	false
SSDEEP:	98304:WectRU8gCMgBqYKYeK71TR4IlS5P9ByPxADgKy4aKkXH9xeyY7lkwD9pNQgG:LKRVVJt4YwUxekXTeZCwDfrG
MD5:	0C9A8EF5F563D1ECD039E6E9AEB19378
SHA1:	5FF22E61D09C5D3CE656DD6EB8D2E02A318CC976
SHA-256:	7F5D76A6A2C2442FFA8E5E9E466827C97401D84D0644E156CF21B647BD47FBAF
SHA-512:	8C406CA47B3BF9EA336AE025FEBC00BFA6B9EA5D2CCEE4CC932096492A5E95B2C964CA74A85F6A2FD2D7F23E63B43F3919B69C4CADD3A9C6F39EC39E2822EA0F
Malicious:	false
Reputation:	low
Preview:	......wk....y}....a.....h..!..f.i2..gY.:..r..B..t_.K..c.NY..d..m..e.Ay..l....u{m...i....p/....m....b....s3....n.....o+....k.`...vM....zS5...q?....x.....j)3...1.....4.9...3+....5}<...2.....7.....9.....6.8...8.y...0+....6i.........&......K......................... ......+........ ..I...........7....$....%.... ....... . ........./............... .....-....... meaning`6... to ......rsula corber.......................lafur darri .lafsson.....)............#............ meaningF....Y.............1...... meaning............ meaning.x...............I..@)...... meaningx...(.....dgar guzm.n l.pez.....$ artist....#....... meaning......... . .......h. . .... ...........&.... meaningb...+ ...... ......P..... meaning`..... meaningz....ttestupaP{...ukasz witt-micha.owski>t.... meaning2l.... meaning(...M...... meaning...... meaning...... meaning.....eviri...

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.8299663321499313
Encrypted:	false
SSDEEP:	3:SR6yqDBuQgEgEhXPgUD6X8DDicDC:S8ynQBBhfgUI8jC
MD5:	223360B4A57E59761785B7D3152BBC18
SHA1:	54C5AD8869957E203DCC9D0FA86E15D67FB14CB1
SHA-256:	FEB4C43C584267068A906CF369BCF349EA1E26B8AFC4AF1CDF6E87F88DFE99AA
SHA-512:	0574A9C5E20C7F0BE15D5975D5B08312A9B72D8044AA4B4390A8788A708AAF85FE8D1E7781BEEF68F807BE87DA3D0689995011A7801C9F452ABAB368D23F55D7
Malicious:	false
Reputation:	low
Preview:	1.40530dd93ad0a5f406a909a50c9aec82f6be28a61208ef052823ff0b59fd3bdd

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.832091122903382
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifF0AAGAR3CKG/w/VpKS1/VhARE:F6VlMT2C7Y/VUS1URE
MD5:	55D0DA4886EFA9D373256980AFE0B0C4
SHA1:	495D838F50D5E76226480487BE4770FDF289BF2F
SHA-256:	816E30826889F2E140B03E0C7CFDCD31DEDB307C30712B017843080B271891A9
SHA-512:	0591312EE7C3E51CD0B2C13CD97AAB7F65FB8FB1EAF65DDEF3E3A7A49218893E1827CA3B217ECACFEB02BDE8926AE81AD893DB1031B2E891D2B06AFF6A6D5327
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "OnDeviceHeadSuggestENUS500000",. "version": "20240404.625479014.14".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Reputation:	low
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.011074928584453
Encrypted:	false
SSDEEP:	48:p/hUI1OJi9beAdIih7ak7nEGfpSVzTuc3h0k0Qc/Il:RnODQIK7aRGIVzT7x0FQcS
MD5:	55FAB119C4B25E3B96B68A1412A400B6
SHA1:	BDDA56C51ADEBE8ED0E92658B5020186270085B5
SHA-256:	6DDD430EC4522578FC545E37B7811B740AE9BAE80EBCDBE44ABEF6289B82E2EB
SHA-512:	9833E793F611C0D2160862408935704096DA1D578849C2B89F0C99CF11D3B9B5CDADFAB8CE3CB95E2BAB0EBC832C3A31E18DC1887CE13ABC2B4F9A8669FB72F0
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJqckFSLVVIVm9rYzFLekFkLUhNQTBJZ2RmbEQ5X1J3M3ppLUYzUGxHU1pvIn0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiQWJUeGNVWWl0ZnVkSnA5NmJ5OGVYQWZEUUpxX3NHWjdVN3hHUnRiaTM2ayJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC41LjIxLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"DJUEsHDAI0AGK3w3jfw5scOk3HjHnjZ4gxIBDB4YnKUhSi9AvwoibuHc-JTjNxXq4H3u0Mm1kxrYSzJkg_shtc_vtgqBbzDPJxy_eCsqtWMErjzYm8ixkrqZGI4848kNexGROP-eEaLsIEpjFAqVqlWiEgETzbJxgELBWKSOwGGsUGMhx9Op6bhb7wuBVJkq5_H1aksmXJg49Oc6EJj6HSaR4EapNnEcQ8WO7Mj6udA--b6JBVrEOBl

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9163360835085737
Encrypted:	false
SSDEEP:	3:SVOSUQDGAYHXQDJdXVBXHEBGzmyAdV9GA:SV4W/XVBUBXdOA
MD5:	224A1E3D38F496B70BB0A38D237F8FCE
SHA1:	FBC6B5A7C15349EE150549276F58B71674C05513
SHA-256:	1538B4C21BDABACD90069B3EFC35E1FA898694695BCC136B08A2586005645A2D
SHA-512:	A14A6A97C04593427C0D66B5F8D0892AB0887B17CA578B4A283C0625DC9949016BD7D69741BF18E16B94A15BB53021772B5DFF1F6195AA995242482266C8BB20
Malicious:	false
Reputation:	low
Preview:	1.046a7153ace40b4c1fcb2423ffdd0bda38820d2bade6aa5ab6929fe80e4acea3

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.447544204264198
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1gLian:F6VlM8aRWpqS1gLia
MD5:	F67F1900F79CA094D0FC2182B79E7A60
SHA1:	B0C783FB7F8985C82313C2AC4606A820FFEE7C4B
SHA-256:	8EB011F941D5A247352B301DF87300D0881D7E50FDFD1C37CE2F85DCF946499A
SHA-512:	CD1F6C7B717156BE99247CA581F982246B55F419307E4222191F623BE09F5FB2EF6F881EA4BCE0C0DE23BE3F6FCE4D0DE06E66CF2311FCD6FD097C33DF380EE3
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.5.21.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8141
Entropy (8bit):	4.6184691591564295
Encrypted:	false
SSDEEP:	96:Mon4mdqX1gs1/BNKLcxbdmf56G8RTGXvcxyuP+8qJq:v7qljBkIVDRTGXvcxNsq
MD5:	B63AD3A7023C80F4D2D24BF4AC4145B7
SHA1:	582BFCD098EB6E63B5420F19A81CD3C04D5CD945
SHA-256:	86DFE2A9896CA7CAD92BD313A27ED185339D0E4729EDAEB95C1D6A2CBEBB79AA
SHA-512:	1DE2B098A7C1DC4F12E4DB514960A2366DA0D0672618AD4462D72D25C66D2D81FF02D4CA26FF78FED011CB6A38F2FDA054297EA619EC4662021420ECB64912BA
Malicious:	false
Reputation:	low
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://elpais.com.uy","associatedSites":["https://clubelpais.com.uy","https://paula.com.uy","https://gallito.com.uy"],"ccTLDs":{"https://elpais.com.uy":["https://elpais.uy"]}}.{"primary":"https:/

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Reputation:	low
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1862
Entropy (8bit):	6.014706711146653
Encrypted:	false
SSDEEP:	48:p/hU24u7BnPAdtg/kakPvRAaahv7w6gkIH6N:R37BnPQthawvqaahvkZcN
MD5:	B38ADE4628789BC0AF72C3195C3B0118
SHA1:	EAE8538E7085506CD3F1F5B6D021F4CD174FF367
SHA-256:	3B09FA7103DC6D7855C7CB6576E6BAD344BA23EC03B49873FCDBBFAE02528090
SHA-512:	95BA6E2E947D1F8AEB1CA33BC524FE4E6ED740AFA9615C81ABCE55A1C17EBFCD4CA36CDCAA804122CFBEC2F2953AEB863F9ADF8AB3D624BC116C871213577CB5
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6ImtleXMuanNvbiIsInJvb3RfaGFzaCI6IlRBNzFkb0ViZ0hJdFA2VVM2dTlVdmlOLWJreHlENTRYUWEwSlRKUGt4SXcifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiMzhIaFJ6Wk16a2NJNE5TNjFUNUdacDdjRFA0UHFjZVBkenFOWHVXN2VKVSJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImtpYWJoYWJqZGJramRwamJwaWdmb2RiZGptYmdsY29vIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC41LjMuMSIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"iLxSmn_bvHe8qux2gcjspPuaODsvzL7beWx-CIbJ22n_2UNtS3owYr2nS6SKu48sJE76dIBpZ6URXv0QVPXl6FwS6fRv3Nhg9d_t0ErbeE2LcqaL5yb6WOhqEBiOBZ7iPGxq0PF4fS-RKUd-Ib7vKDiGbuleeEeRpCIvTJkE1DJEeAomuB5sPPN_lcFUVW7w3gxnTN3uM_TlKwak_Fj_HuWBGLzltv4R6WWAZOOKxSyNcCS495SsShB-M

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\keys.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6533
Entropy (8bit):	5.9730613402179875
Encrypted:	false
SSDEEP:	96:UXq6pG2GE+ryi+m0plhYvPuW+w78+ozdswsDm4+ukNl0qnu/Q3a8I+y:uNtGbrQm4lOvMw7joR9Pu+l0v/Ua8/y
MD5:	E2E2E3B27DBE8EBB1E5A1689CBADA547
SHA1:	0F173E6F154E12CE6774B006A4CC42D7A680F7A1
SHA-256:	0AF9BE189481B755CECEC6901AB03E1F41557760157501F7D57570222DB5944A
SHA-512:	E9C6E2D78DF50474EE1FD4C01BF05C135DFC180817BA204FA10FE4D7C0C7560954A905244AED474220DD773645DAB7C647CCD53FE82896D70F9177EFDF6A85B0
Malicious:	false
Reputation:	low
Preview:	{"https://issuer.captchafox.com":{"PrivateStateTokenV1VOPRF":{"batchsize":1,"id":1,"keys":{"0":{"Y":"AAAAAQQiyE+SESbq7GU5rTx6tZO4tBOxljp+Oya2mU28O+YoALIyXlLLqnl/h5h95ExYSsOlmMIb8EdsJBTrCaDl/KIZSskrfMbZpjhShG0jwnbXojEHI9WaAxKLkX/A/DkyMEg=","expiry":"1734807628115000"},"1":{"Y":"AAAAAQRNtld+5LLBquS4bEJKJwlLw61tzIyqTNkvMVnUTu+YiphbdGrRCjeDTN9D3p1Tgpfmq0N/OKMBYWzDMEN8Km9p9s49c6N2ph4B1MV1m7Ogdj969MOsTw54Kc849oqDl8s=","expiry":"1734807628115000"},"2":{"Y":"AAAAAQSBWW003A3ORFURCZrWNnbEIH15yzk184DaLSebbGzRdyCYtAM1qhhVmXZyBtWTzh6Bfkk5rLPyE1xdQilofPBizF/QJsdaMU0GYhPW1sOU4xoKbmgd/XrnOoFqA2ETOuc=","expiry":"1734807628115000"},"3":{"Y":"AAAAAQSG/ftGdm5B6iwAmVsHt6s43xx3nRf/Vpx9GdeEt3jSTM8hHvyLE9FAEkinGjt4Fp5EjnkCdE96Cxz10nZJRrMApIrGhG5kAoDu4T8PjJPiFQFyHAOdTG7OJWi2NS/rl1A=","expiry":"1734807628115000"},"4":{"Y":"AAAAAQT36tqe550UP5A+4Eokt8iuPZEuWQc9cGJXd7zUCZzrsqtGu3PMcVbOj5DjC4W+yoyF3HqKOqdtiBWgcMsZOcyln/6jUKqf5tS9AoIHa9CC3kQB8ISQd3lhR5j+qWVY8ms=","expiry":"1734807628115000"},"5":{"Y":"AAAAAQQMjaLNCR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.902010082182711
Encrypted:	false
SSDEEP:	3:SUDoUHoaAXGEHcFbDRsAQQ7:SUcUHoLWTVZ7
MD5:	C36BF882013954DC863B7071B8F14D22
SHA1:	7CC87E464389E90B2B2ADB929FC05768C9E0FF90
SHA-256:	A8EDD0855EC3E165C7E7EB1A01F4674AEE687D467A744DFD2B1DB8AE768C750A
SHA-512:	71E28997D3866B1DD3ACC415E3FDCF7B1BADE7F60A325975B44A177C87F7357A259028CC3470EA3ED584E03EE591FA822E91ABE1B0FCFD4FCD7AFF0B23E96868
Malicious:	false
Reputation:	low
Preview:	1.153e9301be7e862a33e2cab936a0a97e2f8bdf2dae1be516d6fe8a5f184ce028

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	78
Entropy (8bit):	4.461657354427988
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFIPgS1gLMUHA:F6VlMyPgS1gLVHA
MD5:	F484730E3678D8A3D9D2E39EC6E43AA5
SHA1:	01567FAE3CBD5BEAF099F5CCBD0A2F2D39F620AC
SHA-256:	DFC1E147364CCE4708E0D4BAD53E46669EDC0CFE0FA9C78F773A8D5EE5BB7895
SHA-512:	FFB55A70258AAF3B6C3DE39298CB0CD0700263C6CFB83CA26A798C41082925F2B45D49B23746D7AE971346B94E8F545F72B005B19E6F16B0955623A1313F9E33
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "trustToken",. "version": "2024.5.3.1".}

Chrome Cache Entry: 140

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	269
Entropy (8bit):	5.156258281363816
Encrypted:	false
SSDEEP:	6:TMVBd/IqZjZvKtvRsJJE5lBZzhgfDBBor52hRWorjFan:TMHd1BZKtvRsrKvz2bByV0FNa
MD5:	88DDC278BF333B4E3B6DB7FAF9064E57
SHA1:	0C40C847914D513469FCEDB10B1DB9CE9E033A14
SHA-256:	443C8626A27038F49FAA764FDB68DA6849845BCE323973D0400258977434DCF6
SHA-512:	BA416D13FA2EA14FE481882A05D8E8637CDE1A29AB8AA8D8C0428446A0F635042FFC2B61FF9B2A80D719B789354CFEF35EA41D5654D98B7E424D8F954C2F09E4
Malicious:	false
Reputation:	low
URL:	http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com/
Preview:	<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>login-microsoftonline-com-mfaauthentication-secured</BucketName><RequestId>tx00000829da5f26d7f1f78-006650b626-3c933cd9-default</RequestId><HostId>3c933cd9-default-default</HostId></Error>

Chrome Cache Entry: 141

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	269
Entropy (8bit):	5.1693068747149145
Encrypted:	false
SSDEEP:	6:TMVBd/IqZjZvKtvRsJJE5lBZzh2352hVCjFan:TMHd1BZKtvRsrKvzEJwSa
MD5:	1DC0D16C4B4551D7549C3C4E673B8FBA
SHA1:	081FEC03CCFE19FD2BC438DFDD48F67661AF6087
SHA-256:	E554B5091DD45E3CC6A57767A7E5A06AE0931BFE5EF0157FB4F15BC1D684DF60
SHA-512:	352F8B57133D8AE23FD98469AE31374920D05D31C513C06A9E179C748D1AF257CFDC28C880D450A46E80EAA864B3E72088B4CA119A75B53D240BA361AFE62BA7
Malicious:	false
Reputation:	low
URL:	http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com/favicon.ico
Preview:	<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>login-microsoftonline-com-mfaauthentication-secured</BucketName><RequestId>tx00000d865cdc7a5be4245-006650b626-3c93735c-default</RequestId><HostId>3c93735c-default-default</HostId></Error>

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 17:45:42.658802986 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:45:42.962009907 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:45:43.568485975 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:45:44.783999920 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:45:45.087274075 CEST	49688	443	192.168.2.16	2.23.209.182
May 24, 2024 17:45:46.632968903 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:46.633008957 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:46.633104086 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:46.633378983 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:46.633388996 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:47.190047979 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:45:47.374185085 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:47.374633074 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:47.374664068 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:47.375622988 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:47.375713110 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:47.376945972 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:47.377002954 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:47.430093050 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:47.430157900 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:47.478049040 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:48.897229910 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:48.897284031 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:48.897380114 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:48.899306059 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:48.899324894 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.550208092 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.550322056 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.554838896 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.554852009 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.555144072 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.596137047 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.642496109 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.845312119 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.845386028 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.845494032 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.845588923 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.845588923 CEST	49713	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.845607996 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.845621109 CEST	443	49713	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.879272938 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.879300117 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:49.879376888 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.879718065 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:49.879740000 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.606528044 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.606616974 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:50.608177900 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:50.608196974 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.608448029 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.609814882 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:50.650511026 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.832549095 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:45:50.895077944 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.895191908 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.896176100 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:50.896291018 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:50.896323919 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:50.896347046 CEST	49714	443	192.168.2.16	184.28.90.27
May 24, 2024 17:45:50.896354914 CEST	443	49714	184.28.90.27	192.168.2.16
May 24, 2024 17:45:51.099373102 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.099417925 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:51.099494934 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.100697041 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.100707054 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:51.136521101 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:45:51.741084099 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:45:51.887095928 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:51.887212038 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.890068054 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.890089035 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:51.890619040 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:51.934070110 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.950565100 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:51.994513035 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:51.998056889 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:45:52.184788942 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.184858084 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.184873104 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.184916019 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.184947968 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.184950113 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.184984922 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.185012102 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.185034990 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.204415083 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.204554081 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.204577923 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.204641104 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.204787016 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.204802990 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.204818964 CEST	49715	443	192.168.2.16	52.165.165.26
May 24, 2024 17:45:52.204823971 CEST	443	49715	52.165.165.26	192.168.2.16
May 24, 2024 17:45:52.956023932 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:45:55.306504011 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:45:55.370178938 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:45:55.610146999 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:45:56.217094898 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:45:57.278111935 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:57.278254986 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:57.278351068 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:57.418080091 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:45:57.963085890 CEST	49711	443	192.168.2.16	142.250.186.100
May 24, 2024 17:45:57.963119984 CEST	443	49711	142.250.186.100	192.168.2.16
May 24, 2024 17:45:59.828047991 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:46:00.180095911 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:46:01.599123001 CEST	49673	443	192.168.2.16	204.79.197.203
May 24, 2024 17:46:04.640070915 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:46:09.785571098 CEST	49678	443	192.168.2.16	20.189.173.10
May 24, 2024 17:46:14.251146078 CEST	49680	80	192.168.2.16	192.229.211.108
May 24, 2024 17:46:28.714184046 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:28.714255095 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:28.714382887 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:28.714832067 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:28.714847088 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.463901043 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.464119911 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.465614080 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.465624094 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.465863943 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.467498064 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.510509014 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.808326006 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.808353901 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.808372021 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.808593035 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.808623075 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.808691025 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.818568945 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.818610907 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.818660021 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.818675041 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.818866014 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.818883896 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.818902969 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:29.818912983 CEST	49716	443	192.168.2.16	52.165.165.26
May 24, 2024 17:46:29.818917990 CEST	443	49716	52.165.165.26	192.168.2.16
May 24, 2024 17:46:30.038309097 CEST	49697	80	192.168.2.16	2.19.126.137
May 24, 2024 17:46:30.038398027 CEST	49699	80	192.168.2.16	2.19.126.137
May 24, 2024 17:46:30.056427002 CEST	80	49697	2.19.126.137	192.168.2.16
May 24, 2024 17:46:30.056503057 CEST	49697	80	192.168.2.16	2.19.126.137
May 24, 2024 17:46:30.065735102 CEST	80	49699	2.19.126.137	192.168.2.16
May 24, 2024 17:46:30.065807104 CEST	49699	80	192.168.2.16	2.19.126.137
May 24, 2024 17:46:44.889516115 CEST	62398	53	192.168.2.16	1.1.1.1
May 24, 2024 17:46:44.895121098 CEST	53	62398	1.1.1.1	192.168.2.16
May 24, 2024 17:46:44.895211935 CEST	62398	53	192.168.2.16	1.1.1.1
May 24, 2024 17:46:44.895281076 CEST	62398	53	192.168.2.16	1.1.1.1
May 24, 2024 17:46:44.924122095 CEST	53	62398	1.1.1.1	192.168.2.16
May 24, 2024 17:46:45.368458986 CEST	53	62398	1.1.1.1	192.168.2.16
May 24, 2024 17:46:45.369307995 CEST	62398	53	192.168.2.16	1.1.1.1
May 24, 2024 17:46:45.375847101 CEST	53	62398	1.1.1.1	192.168.2.16
May 24, 2024 17:46:45.375936031 CEST	62398	53	192.168.2.16	1.1.1.1
May 24, 2024 17:46:46.637293100 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:46.637337923 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:46.637413025 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:46.637728930 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:46.637749910 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:47.310849905 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:47.311377048 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:47.311393976 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:47.311672926 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:47.312046051 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:47.312098980 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:47.356173992 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:57.258435011 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:57.258537054 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:46:57.258786917 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:57.966279984 CEST	62401	443	192.168.2.16	142.250.186.100
May 24, 2024 17:46:57.966306925 CEST	443	62401	142.250.186.100	192.168.2.16
May 24, 2024 17:47:19.231436014 CEST	49700	80	192.168.2.16	192.229.221.95
May 24, 2024 17:47:19.245893002 CEST	80	49700	192.229.221.95	192.168.2.16
May 24, 2024 17:47:19.245982885 CEST	49700	80	192.168.2.16	192.229.221.95

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 17:45:41.729518890 CEST	55749	53	192.168.2.16	1.1.1.1
May 24, 2024 17:45:41.729518890 CEST	63994	53	192.168.2.16	1.1.1.1
May 24, 2024 17:45:41.736282110 CEST	53	61461	1.1.1.1	192.168.2.16
May 24, 2024 17:45:41.770153046 CEST	53	63994	1.1.1.1	192.168.2.16
May 24, 2024 17:45:41.817545891 CEST	53	61560	1.1.1.1	192.168.2.16
May 24, 2024 17:45:42.929423094 CEST	53	50155	1.1.1.1	192.168.2.16
May 24, 2024 17:45:46.586234093 CEST	63677	53	192.168.2.16	1.1.1.1
May 24, 2024 17:45:46.586405993 CEST	50022	53	192.168.2.16	1.1.1.1
May 24, 2024 17:45:46.623102903 CEST	53	63677	1.1.1.1	192.168.2.16
May 24, 2024 17:45:46.632555962 CEST	53	50022	1.1.1.1	192.168.2.16
May 24, 2024 17:45:59.931396008 CEST	53	52101	1.1.1.1	192.168.2.16
May 24, 2024 17:46:18.976093054 CEST	53	53140	1.1.1.1	192.168.2.16
May 24, 2024 17:46:41.656275034 CEST	53	54452	1.1.1.1	192.168.2.16
May 24, 2024 17:46:41.782556057 CEST	53	60539	1.1.1.1	192.168.2.16
May 24, 2024 17:46:44.888554096 CEST	53	59622	1.1.1.1	192.168.2.16
May 24, 2024 17:46:46.995858908 CEST	138	138	192.168.2.16	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 24, 2024 17:45:41.823069096 CEST	192.168.2.16	1.1.1.1	c23f	(Port unreachable)	Destination Unreachable
May 24, 2024 17:45:46.632631063 CEST	192.168.2.16	1.1.1.1	c209	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 17:45:41.729518890 CEST	192.168.2.16	1.1.1.1	0x9c27	Standard query (0)	login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com	A (IP address)	IN (0x0001)	false
May 24, 2024 17:45:41.729518890 CEST	192.168.2.16	1.1.1.1	0xda56	Standard query (0)	login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com	65	IN (0x0001)	false
May 24, 2024 17:45:46.586234093 CEST	192.168.2.16	1.1.1.1	0xb4b7	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 24, 2024 17:45:46.586405993 CEST	192.168.2.16	1.1.1.1	0x26d0	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 17:45:41.759743929 CEST	1.1.1.1	192.168.2.16	0x9c27	No error (0)	login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com	us-mia-1.linodeobjects.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 17:45:41.759743929 CEST	1.1.1.1	192.168.2.16	0x9c27	No error (0)	us-mia-1.linodeobjects.com	us-mia-1.linodeobjects.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 17:45:41.770153046 CEST	1.1.1.1	192.168.2.16	0xda56	No error (0)	login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com	us-mia-1.linodeobjects.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 17:45:41.770153046 CEST	1.1.1.1	192.168.2.16	0xda56	No error (0)	us-mia-1.linodeobjects.com	us-mia-1.linodeobjects.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 17:45:46.623102903 CEST	1.1.1.1	192.168.2.16	0xb4b7	No error (0)	www.google.com		142.250.186.100	A (IP address)	IN (0x0001)	false
May 24, 2024 17:45:46.632555962 CEST	1.1.1.1	192.168.2.16	0x26d0	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49713	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:45:49 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-24 15:45:49 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=174265 Date: Fri, 24 May 2024 15:45:49 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.16	49714	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:45:50 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-24 15:45:50 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=174200 Date: Fri, 24 May 2024 15:45:50 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-24 15:45:50 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.16	49715	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:45:51 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=k7+ccPnv+M53ByL&MD=Tu7U6NTy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-24 15:45:52 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 83287dee-367b-4eed-aee1-0c29dc7ef070 MS-RequestId: fb079ecb-80fe-4550-a073-5b065b12c106 MS-CV: ntm2uZIDzUO150nE.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 24 May 2024 15:45:51 GMT Connection: close Content-Length: 24490
2024-05-24 15:45:52 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-24 15:45:52 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.16	49716	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-05-24 15:46:29 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=k7+ccPnv+M53ByL&MD=Tu7U6NTy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-24 15:46:29 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: 6c5c9d34-5d5e-49fe-bc35-fc342c4a9946 MS-RequestId: 843d900a-6458-42ec-86c6-ecf7395a4508 MS-CV: NEZjIPDfI0CNyHIP.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 24 May 2024 15:46:29 GMT Connection: close Content-Length: 25457
2024-05-24 15:46:29 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-24 15:46:29 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 3548, Parent PID: 3868

General

Target ID:	0
Start time:	11:45:40
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com/
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6364, Parent PID: 3548

General

Target ID:	1
Start time:	11:45:40
Start date:	24/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1892,i,62843956981060036,4939168404260718546,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\cr_en-us_500000_index.bin

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1081194121\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1148510991\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\keys.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3548_1966647173\manifest.json

Chrome Cache Entry: 140

Chrome Cache Entry: 141

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Windows Analysis Report
http://login-microsoftonline-com-mfaauthentication-secured.us-mia-1.linodeobjects.com