Windows Analysis Report
https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

Overview

General Information

Sample URL:	https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html
Analysis ID:	1447739
Infos:

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected HtmlPhish10

AI detected suspicious javascript

Detected non-DNS traffic on DNS port

Form action URLs do not match main URL

HTML body contains low number of good links

HTML title does not match URL

Stores files to the Windows start menu directory

Suspicious form URL found

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Multi AV Scanner detection for submitted file

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

Virustotal: Detection: 9%

Perma Link

Phishing

AI detected phishing page

Source: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/webmail-logo.svg

LLM: Score: 8 brands: Webmail Reasons: The URL is suspicious as it does not match any known legitimate domain for a webmail service. The domain 'r2.dev' is not typically associated with webmail services and could be used to host phishing content. The presence of a login form asking for email and password without any additional security measures like CAPTCHA is also concerning. The overall design mimics legitimate webmail services, which is a common social engineering technique used in phishing attacks. DOM: 0.0.pages.csv

Yara detected HtmlPhish10

Source: Yara match

File source: 1.1.pages.csv, type: HTML

AI detected suspicious javascript

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

LLM: Score: 9 Reasons: The JavaScript code captures email and password inputs and sends them to an external URL (https://givenger.duckdns.org/nwe/x1.php) via an AJAX POST request. This behavior is indicative of phishing or credential harvesting, which is highly malicious. DOM: 1.1.pages.csv

Form action URLs do not match main URL

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Form action: https://givenger.duckdns.org/nwe/x1.php?inc r2 duckdns

HTML body contains low number of good links

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Title: Webmail :: Welcome to Webmail does not match URL

Suspicious form URL found

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Form action: https://givenger.duckdns.org/nwe/x1.php?inc

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: <input type="password" .../> found

Source: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/webmail-logo.svg	HTTP Parser: No favicon
Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html	HTTP Parser: No favicon

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: No <meta name="author".. found

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: No <meta name="copyright".. found

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49741 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49729 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029493 ET CURRENT_EVENTS Possible Glitch.me Phishing Domain 192.168.2.5:61928 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2029493 ET CURRENT_EVENTS Possible Glitch.me Phishing Domain 192.168.2.5:61590 -> 1.1.1.1:53

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:49714 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:51587 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:54606 -> 1.1.1.1:53

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html HTTP/1.1Host: pub-c53ac24b12464864b63e147b424f6afa.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery.js HTTP/1.1Host: shocking-northern-globeflower.glitch.meConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/deps/bootstrap.min_s%3D1707945294.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/skins/login_s%3D1677694319.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/brands/181/11074/styles.2_s%3D1689619297.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/jqueryui/themes/elastic/jquery-ui.min_s%3D1705745704.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/jquery.min_s%3D1707945181.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/common_s%3D1705745704.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/app_s%3D1707943829.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/jstz.min_s%3D1705745709.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/skins/punycode_s%3D1677694319.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/ui_s%3D1677694320.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/jqueryui/js/jquery-ui.min_s%3D1705745704.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/fonts/roboto-v18-greek-ext_cyrillic-ext_cyrillic_greek_latin-ext_latin-regular.woff2 HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-c53ac24b12464864b63e147b424f6afa.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/brands/181/11074/styles.2_s%3D1689619297.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/webmail-logo.svg HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: objectReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/fonts/roboto-v18-greek-ext_cyrillic-ext_cyrillic_greek_latin-ext_latin-regular.woff HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-c53ac24b12464864b63e147b424f6afa.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/brands/181/11074/styles.2_s%3D1689619297.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: pub-c53ac24b12464864b63e147b424f6afa.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPREFS=full

Source: global traffic	DNS traffic detected: DNS query: pub-c53ac24b12464864b63e147b424f6afa.r2.dev
Source: global traffic	DNS traffic detected: DNS query: shocking-northern-globeflower.glitch.me
Source: global traffic	DNS traffic detected: DNS query: pub-3588bd29371644b4ba49e89c840c7b96.r2.dev
Source: global traffic	DNS traffic detected: DNS query: stackpath.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 26 May 2024 22:33:25 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 88a13a0c3e830cba-EWR

Source: chromecache_154.2.dr	String found in binary or memory: http://code.iamcal.com/php/rfc822/
Source: chromecache_143.2.dr, chromecache_152.2.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: chromecache_154.2.dr	String found in binary or memory: http://dev.rubyonrails.org/changeset/7271
Source: chromecache_154.2.dr	String found in binary or memory: http://idn.icann.org/E-mail_test)
Source: chromecache_155.2.dr, chromecache_145.2.dr	String found in binary or memory: http://jqueryui.com
Source: chromecache_145.2.dr	String found in binary or memory: http://jqueryui.com/themeroller/?bgShadowXPos=&bgOverlayXPos=&bgErrorXPos=&bgHighlightXPos=&bgConten
Source: chromecache_154.2.dr	String found in binary or memory: http://rumkin.com
Source: chromecache_148.2.dr	String found in binary or memory: http://tools.ietf.org/html/rfc3492#section-3.4
Source: chromecache_152.2.dr	String found in binary or memory: http://twitter.github.com/bootstrap/)
Source: chromecache_152.2.dr	String found in binary or memory: http://www.gnu.org/licenses/
Source: chromecache_154.2.dr	String found in binary or memory: http://www.michaelapproved.com/articles/timezone-detect-and-ignore-daylight-saving-time-dst/
Source: chromecache_155.2.dr	String found in binary or memory: https://bugs.jqueryui.com/ticket/8593
Source: chromecache_156.2.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.7/jstz.min.js
Source: chromecache_150.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_152.2.dr	String found in binary or memory: https://fullcalendar.io/
Source: chromecache_146.2.dr, chromecache_142.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_144.2.dr	String found in binary or memory: https://github.com/jquery/jquery/tree/3.5.1
Source: chromecache_143.2.dr	String found in binary or memory: https://github.com/roundcube/elastic/issues/45
Source: chromecache_142.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: chromecache_146.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_146.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_143.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/issues/20219)
Source: chromecache_143.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/issues/25428
Source: chromecache_148.2.dr	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: chromecache_148.2.dr	String found in binary or memory: https://mths.be/punycode
Source: chromecache_150.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54610 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49729 version: TLS 1.2

Source: classification engine

Classification label: mal84.phis.win@22/42@12/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2096,i,2661542040895567109,9855717602252006107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2096,i,2661542040895567109,9855717602252006107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.3.35	pub-3588bd29371644b4ba49e89c840c7b96.r2.dev	United States	13335	CLOUDFLARENETUS	false
104.18.2.35	pub-c53ac24b12464864b63e147b424f6afa.r2.dev	United States	13335	CLOUDFLARENETUS	false
44.193.185.113	shocking-northern-globeflower.glitch.me	United States	14618	AMAZON-AESUS	false
104.18.11.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.16.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.6
192.168.2.5

Contacted Domains

Name	IP	Active
stackpath.bootstrapcdn.com	104.18.11.207	true
bg.microsoft.map.fastly.net	199.232.210.172	true
pub-3588bd29371644b4ba49e89c840c7b96.r2.dev	104.18.3.35	true
www.google.com	172.217.16.196	true
shocking-northern-globeflower.glitch.me	44.193.185.113	true
pub-c53ac24b12464864b63e147b424f6afa.r2.dev	104.18.2.35	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/program/js/common_s%3D1705745704.js	false	Avira URL Cloud: safe	unknown
https://shocking-northern-globeflower.glitch.me/jquery.js	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/brands/181/11074/styles.2_s%3D1689619297.css	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/program/js/app_s%3D1707943829.js	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	false	URL Reputation: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/fonts/roboto-v18-greek-ext_cyrillic-ext_cyrillic_greek_latin-ext_latin-regular.woff2	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/program/js/jquery.min_s%3D1707945181.js	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/fonts/roboto-v18-greek-ext_cyrillic-ext_cyrillic_greek_latin-ext_latin-regular.woff	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/program/js/jstz.min_s%3D1705745709.js	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/ui_s%3D1677694320.js	false	Avira URL Cloud: safe	unknown
https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/favicon.ico	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/webmail-logo.svg	true		unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/plugins/jqueryui/themes/elastic/jquery-ui.min_s%3D1705745704.css	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/plugins/skins/punycode_s%3D1677694319.js	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/deps/bootstrap.min_s%3D1707945294.css	false	Avira URL Cloud: safe	unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/plugins/jqueryui/js/jquery-ui.min_s%3D1705745704.js	false	Avira URL Cloud: safe	unknown
https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html	true		unknown
https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/plugins/skins/login_s%3D1677694319.css	false	Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 26 21:33:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	3467A15F13598B5354E2E3D68EEB609B	4F6FDC03993CC403F83E2C7013B027AB694B998B	1FC0D262A480EA74FB12F4A710B06DB006A8CA15A66B62656F34834724022661
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 26 21:33:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	FC4EF83061CDBFF0C181D6A4A1A28FBC	4CE3CB919A5820FCF950A0F7BBA9A313097AC045	90D8FC72DAE6E08103DA6B9183317F8524EEDC45299386EFE0E69BD983FD98C3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B894DCAD47423BEBBC9D204A27DAEF10	808053442E5C4E17C5C87D5AF4576A1E6D4C0B42	E33AE32E28B297940FB52A46CBCBE879906E49F969086666BD89B57CF3372E82
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 26 21:33:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	FACC0626C22AB93506A2445105B3CDF0	805D79DAAB01CF4FEEDBC5BB23695C5C5C8FA1A9	57B1F762E5717DB201A4DF7E29CE3F4A65CB6C908CF16105C1829F335620CE95
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 26 21:33:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	91E98BD376205392A20135DA04D4F759	B11BBD4C0EC1EC5502C7B8E46B6254F35AC7F0DA	58C6F2A4969DF73268C2E2903602CAC39BBB944A2FD9BBDED56A07059DBB1487
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sun May 26 21:33:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B9411B5AD7F6B3AA60F8CF0343D63093	BC9FCAE7A28A972250FB3F46C0AB7037F53905B0	E96BAE49B731CA74A91622C0AD9B69FDB6DE2A3FB21CA71435B30C79A19D41D9
Chrome Cache Entry: 142	ASCII text, with very long lines (65326)	5CC22540FFCC77AFB144A3EC5AF79510	CC6DB4712BA5DFD0D6FE48AF4152ED60CF440C4A	CA2D63F7F2D4EEDF5767AE32B8BADD7A17BCE8835A538EC0D80D20AFB723B8E6
Chrome Cache Entry: 143	ASCII text	0813EC121DD9BCD1AE76756031E42A4B	509C3C331761689BA7D63AC494253E8B6138D481	7AB3BE0FDE4ACA78A442505E7CA2308BF380E29D56E63A10B34C9958C2EFD888
Chrome Cache Entry: 144	ASCII text, with very long lines (64001)	34662B11CA3BE3304B190816EE80BF07	89F11BDF482EC5917DC3141735AEBD384C446565	816BAE7A6B3DC99D06EAAF337DD724FA76A632CB6B8B62549B64C2B91D81F476
Chrome Cache Entry: 145	ASCII text, with very long lines (26371)	7E848D774E13122792027C11B994C19C	276DF81DE919D3614FBB970A6DBDBB7A0570E40C	AAD541BCBD68B5EA0300C91B804637A2706E983A46D93546B109E6F322869107
Chrome Cache Entry: 146	ASCII text, with very long lines (50758)	67176C242E1BDC20603C878DEE836DF3	27A71B00383D61EF3C489326B3564D698FC1227C	56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
Chrome Cache Entry: 147	ASCII text, with no line terminators	103EF7AB15ACBC671C2CD49A64BAD281	6A878B42A98BD8CBD65DD5BA6F891845F44C4B2B	784BB66A686AE370FFD77EF4374FB1275D8A43CC014640C8381CDDA4BF731E12
Chrome Cache Entry: 148	C source, ASCII text	0A762EA4E6C34477F0D69A7CC853E7AE	4E703E940E4620F1C8AC328496167287F19B322F	952F98168DDEE35169166CE789031DB4B40CD784DD3D4B1712D04CC4F761677C
Chrome Cache Entry: 149	ASCII text, with very long lines (21435), with no line terminators	D369F70E45A120AD3DA6DDDA12209276	9C467DE322370EAAD5EC6D777626309BE9210EF3	7054C5E7B55839041881D2C383977BE8789AFC7429EB89BD2C09D546F1673CA8
Chrome Cache Entry: 150	HTML document, ASCII text, with very long lines (611)	DF3D48946E8D3F5A83608308EDBB4B86	47B9C40C97ABF2658DF96B1C06109324E15E1A00	570A6631252B8A52DF4DE0E953AE77DBDF524DFC3637CDA2840494A0D2B49499
Chrome Cache Entry: 151	HTML document, ASCII text, with very long lines (412), with CRLF line terminators	1D95509B41B4B16A432602BC8FBFB655	B81E37388455BB314DCB657BB0DA12F59A8E68E7	109A1DE413ED485E764AFB8339B71141DCA632D0D65DBC530E1D27EC8BB1E1F7
Chrome Cache Entry: 152	ASCII text, with very long lines (655)	F2120A31A163CF066A89F91D7C3DF384	C5986420CBA45D0970CD5619CF126796AFC8F79F	76CA206134970468A9E6EE4A731682D766153371D8B8CC2D279E4FE3079FE4E8
Chrome Cache Entry: 153	ASCII text	983C80164DA22B6B860FF359E0467DA0	B0568ADBB711E52EE955B4CA5813106F18E12C17	98338A949ABE7DAB9F6A8E75E897D81A0D9EA3D4E14CD591EF98046C9E71749A
Chrome Cache Entry: 154	ASCII text	C4B3353F564D0852C17127CACE489FB8	124AEF17E75E52A81D0E9C852BB61F7FBD2AF0BB	9B60E53E63A688745A44171D874B18EB281490F5283D3879C95D244AD0B84D53
Chrome Cache Entry: 155	Unicode text, UTF-8 text, with very long lines (64399)	01B00DC27E3831F4F8093FC111890E6E	B9B8F114C58D3EA37F75216550A0F6C5022885F9	45B30930D5752603CDFF2D24AA942B5BBAE3168F62E74E092CD9405FF10127F7
Chrome Cache Entry: 156	ASCII text, with very long lines (12309)	B5EE3CE2023C717FFF34CFE5D3B82599	36F532887C2BF6BC7BDD06E68E96EAFE2051A5F7	716ECE8DEB8412F7EC95AB395C92F6515BB8D8B792FD7480C014CDC6F063452A
Chrome Cache Entry: 157	ASCII text	2FD3D2FB4BC985380024177C1C4E114D	9EDDDADCF7D2A9FB13412424E245F9F3EA42C489	0814916D6875E3785F4F43A64A55DD244578A116BD5190418C2994B1FCABAD4D
Chrome Cache Entry: 158	SVG Scalable Vector Graphics image	63CCE1C72E9F613A95BC14D7AE0DC2EF	BCAA77E2DE1AD4549472CFC41132B833E8B7266D	74D1ECF847B8DBFBDA3454D2A99CCD2906022FA6E290397F44D306B393D6E11F
Chrome Cache Entry: 159	ASCII text, with very long lines (32065)	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Multi AV Scanner detection for submitted file

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

Virustotal: Detection: 9%

Perma Link

Phishing

AI detected phishing page

Source: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/webmail-logo.svg

Yara detected HtmlPhish10

Source: Yara match

File source: 1.1.pages.csv, type: HTML

AI detected suspicious javascript

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

Form action URLs do not match main URL

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Form action: https://givenger.duckdns.org/nwe/x1.php?inc r2 duckdns

HTML body contains low number of good links

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Title: Webmail :: Welcome to Webmail does not match URL

Suspicious form URL found

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: Form action: https://givenger.duckdns.org/nwe/x1.php?inc

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: <input type="password" .../> found

Source: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/skins/elastic/webmail-logo.svg	HTTP Parser: No favicon
Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html	HTTP Parser: No favicon

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: No <meta name="author".. found

Source: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

HTTP Parser: No <meta name="copyright".. found

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49741 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49729 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029493 ET CURRENT_EVENTS Possible Glitch.me Phishing Domain 192.168.2.5:61928 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2029493 ET CURRENT_EVENTS Possible Glitch.me Phishing Domain 192.168.2.5:61590 -> 1.1.1.1:53

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:49714 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:51587 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:54606 -> 1.1.1.1:53

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49741 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html HTTP/1.1Host: pub-c53ac24b12464864b63e147b424f6afa.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery.js HTTP/1.1Host: shocking-northern-globeflower.glitch.meConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/deps/bootstrap.min_s%3D1707945294.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/skins/login_s%3D1677694319.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/brands/181/11074/styles.2_s%3D1689619297.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/jqueryui/themes/elastic/jquery-ui.min_s%3D1705745704.css HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/jquery.min_s%3D1707945181.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/common_s%3D1705745704.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/app_s%3D1707943829.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/program/js/jstz.min_s%3D1705745709.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/skins/punycode_s%3D1677694319.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/ui_s%3D1677694320.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/plugins/jqueryui/js/jquery-ui.min_s%3D1705745704.js HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/fonts/roboto-v18-greek-ext_cyrillic-ext_cyrillic_greek_latin-ext_latin-regular.woff2 HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-c53ac24b12464864b63e147b424f6afa.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/brands/181/11074/styles.2_s%3D1689619297.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/webmail-logo.svg HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: objectReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /eu/skins/elastic/fonts/roboto-v18-greek-ext_cyrillic-ext_cyrillic_greek_latin-ext_latin-regular.woff HTTP/1.1Host: pub-3588bd29371644b4ba49e89c840c7b96.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://pub-c53ac24b12464864b63e147b424f6afa.r2.devsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://pub-3588bd29371644b4ba49e89c840c7b96.r2.dev/eu/brands/181/11074/styles.2_s%3D1689619297.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: pub-c53ac24b12464864b63e147b424f6afa.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPREFS=full

Source: global traffic	DNS traffic detected: DNS query: pub-c53ac24b12464864b63e147b424f6afa.r2.dev
Source: global traffic	DNS traffic detected: DNS query: shocking-northern-globeflower.glitch.me
Source: global traffic	DNS traffic detected: DNS query: pub-3588bd29371644b4ba49e89c840c7b96.r2.dev
Source: global traffic	DNS traffic detected: DNS query: stackpath.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 26 May 2024 22:33:25 GMTContent-Type: text/htmlContent-Length: 27242Connection: closeServer: cloudflareCF-RAY: 88a13a0c3e830cba-EWR

Source: chromecache_154.2.dr	String found in binary or memory: http://code.iamcal.com/php/rfc822/
Source: chromecache_143.2.dr, chromecache_152.2.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: chromecache_154.2.dr	String found in binary or memory: http://dev.rubyonrails.org/changeset/7271
Source: chromecache_154.2.dr	String found in binary or memory: http://idn.icann.org/E-mail_test)
Source: chromecache_155.2.dr, chromecache_145.2.dr	String found in binary or memory: http://jqueryui.com
Source: chromecache_145.2.dr	String found in binary or memory: http://jqueryui.com/themeroller/?bgShadowXPos=&bgOverlayXPos=&bgErrorXPos=&bgHighlightXPos=&bgConten
Source: chromecache_154.2.dr	String found in binary or memory: http://rumkin.com
Source: chromecache_148.2.dr	String found in binary or memory: http://tools.ietf.org/html/rfc3492#section-3.4
Source: chromecache_152.2.dr	String found in binary or memory: http://twitter.github.com/bootstrap/)
Source: chromecache_152.2.dr	String found in binary or memory: http://www.gnu.org/licenses/
Source: chromecache_154.2.dr	String found in binary or memory: http://www.michaelapproved.com/articles/timezone-detect-and-ignore-daylight-saving-time-dst/
Source: chromecache_155.2.dr	String found in binary or memory: https://bugs.jqueryui.com/ticket/8593
Source: chromecache_156.2.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.7/jstz.min.js
Source: chromecache_150.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_152.2.dr	String found in binary or memory: https://fullcalendar.io/
Source: chromecache_146.2.dr, chromecache_142.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_144.2.dr	String found in binary or memory: https://github.com/jquery/jquery/tree/3.5.1
Source: chromecache_143.2.dr	String found in binary or memory: https://github.com/roundcube/elastic/issues/45
Source: chromecache_142.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: chromecache_146.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_146.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_143.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/issues/20219)
Source: chromecache_143.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/issues/25428
Source: chromecache_148.2.dr	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: chromecache_148.2.dr	String found in binary or memory: https://mths.be/punycode
Source: chromecache_150.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54610 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49729 version: TLS 1.2

Source: classification engine

Classification label: mal84.phis.win@22/42@12/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2096,i,2661542040895567109,9855717602252006107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2096,i,2661542040895567109,9855717602252006107,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

ID:	1447739
Product:	CloudBasic
Start time:	00:32:26
Start date:	27.05.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://pub-c53ac24b12464864b63e147b424f6afa.r2.dev/ADAwATMwMAItOTU4MC1jMjA2LTAwAi0wMAoAEABW30hqQQA0SoDyAY.html