Windows Analysis Report
25_May_2024_eSign.pdf

Overview

General Information

Sample name: 25_May_2024_eSign.pdf
Analysis ID: 1448095
MD5: c517e38681504b9d34d983ffb7843a6f
SHA1: 7da6a5069594538125311fd78dca5ed2fc97ddaf
SHA256: 01a0ad038da6c728c0af955c5090948b925b9e89775d51297981200f19d9dbc3
Infos:

Detection

HTMLPhisher
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected phishing page
Antivirus detection for URL or domain
Found potential malicious PDF (bad image similarity)
Multi AV Scanner detection for domain / URL
Phishing site detected (based on favicon image match)
Yara detected BlockedWebSite
Yara detected HtmlPhish10
AI detected suspicious javascript
Phishing site detected (based on image similarity)
Phishing site detected (based on logo match)
Detected non-DNS traffic on DNS port
Detected suspicious crossdomain redirect
HTML body contains low number of good links
HTML body contains password input but no form action
HTML body with high number of embedded images detected
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Invalid 'forgot password' link found
Invalid 'sign-in options' or 'sign-up' link found
JA3 SSL client fingerprint seen in connection with other malware
Stores files to the Windows start menu directory
Submit button contains javascript call

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://maplebearrabat.com/content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20= SlashNext: Label: Credential Stealing type: Phishing & Social Engineering
Source: https://cloudflare-ipfs.com/favicon.ico URL Reputation: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/bg_normal.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/auth_number.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/godaddy-left.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/2fa_authenticator.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/call_2fa.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/logo-off-1.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/obufsssssssscaaatoion/ Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/microsoft_logo.png/ Avira URL Cloud: Label: malware
Source: https://cloudflare-ipfs.com/cdn-cgi/images/icon-exclamation.png?1376755637 Avira URL Cloud: Label: phishing
Source: https://aea14i7zphg.wqqqqop.shop/static/media/message_think.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/key_workshcool.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/person_office.png Avira URL Cloud: Label: malware
Source: https://aea14i7zphg.wqqqqop.shop/static/media/person_workshcool.png Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://cloudflare-ipfs.com/cdn-cgi/styles/cf.errors.css Virustotal: Detection: 10% Perma Link
Source: https://cloudflare-ipfs.com/cdn-cgi/images/icon-exclamation.png?1376755637 Virustotal: Detection: 10% Perma Link

Phishing
barindex
AI detected phishing page
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y LLM: Score: 9 brands: Microsoft Reasons: The URL 'https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y' does not match the legitimate domain name associated with Microsoft, which is typically 'microsoft.com' or 'live.com'. The use of 'cloudflare-ipfs.com' is suspicious as it is not a known Microsoft domain. The page contains a login form, which is a common element in phishing sites. The use of social engineering techniques is evident from the attempt to mimic a legitimate Microsoft login page. DOM: 2.3.pages.csv
Phishing site detected (based on favicon image match)
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y Matcher: Template: microsoft matched with high similarity
Yara detected BlockedWebSite
Source: Yara match File source: 1.1.pages.csv, type: HTML
Yara detected HtmlPhish10
Source: Yara match File source: 2.3.pages.csv, type: HTML
AI detected suspicious javascript
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y LLM: Score: 8 Reasons: The code is heavily obfuscated, which is a common technique used to hide malicious intent. It contains a large number of seemingly random hexadecimal strings and variables, which makes it difficult to understand its true functionality. Additionally, the presence of a 'debugger' statement and manipulation of key events (e.g., 'keydown') suggests that it might be attempting to interfere with user input or perform actions without user consent. These characteristics are often associated with malicious scripts. DOM: 2.2.pages.csv
Phishing site detected (based on image similarity)
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y Matcher: Found strong image similarity, brand: MICROSOFT
Phishing site detected (based on logo match)
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y Matcher: Template: microsoft matched
HTML body contains low number of good links
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: Number of links: 0
HTML body contains password input but no form action
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: <input type="password" .../> found but no <form action="...
HTML body with high number of embedded images detected
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: Total embedded image size: 73676
Invalid 'forgot password' link found
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: Invalid link: reset it now.
Invalid 'sign-in options' or 'sign-up' link found
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: Invalid link: get a new Microsoft account
Submit button contains javascript call
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: On click: $('#work-or-shcool').hide();$('#i0281').show();
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: <input type="password" .../> found
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y#accountsreceivable@acaglobal.com HTTP Parser: No favicon
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: No favicon
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: No <meta name="author".. found
Source: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:55920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:55924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:55926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:55961 version: TLS 1.2
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.16:55906 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.16:55904 -> 1.1.1.1:53
Detected suspicious crossdomain redirect
Source: C:\Program Files\Google\Chrome\Application\chrome.exe HTTP traffic: Redirect from: www.kooss.com to https://maplebearrabat.com/content/cauoaeox/jihu/ywnjb3vudhnyzwnlaxzhymxlqgfjywdsb2jhbc5jb20=
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.17.96.13 104.17.96.13
Source: Joe Sandbox View IP Address: 104.21.96.107 104.21.96.107
Source: Joe Sandbox View IP Address: 51.77.64.70 51.77.64.70
Source: Joe Sandbox View IP Address: 151.101.194.137 151.101.194.137
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 92.123.104.38
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: global traffic HTTP traffic detected: GET /j7.php?url=https://m.exactag.com/ai.aspx?tc=d9047570bc40b07205bbd26a23a8d2e6b6b4f9&url=https://maplebearrabat.com/content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20= HTTP/1.1Host: www.kooss.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20= HTTP/1.1Host: maplebearrabat.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://maplebearrabat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: maplebearrabat.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://maplebearrabat.com/content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2yAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/cdn-cgi/styles/cf.errors.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2yAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KVmkthM6DpEzyGv&MD=29UUu6lb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /cdn-cgi/phish-bypass?atok=CT7tcRP.LUBFLZgoIYhechJ50z8EjywmGLk7DrAEPUk-1716831012-0.0.1.1-%2Fipfs%2Fbafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2yAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=NckoPMHvKi0JTGMgrNlWoIZzabm5r3vIL5r6R4bzEAg-1716831013-1.0.1.1-hfNIKUgErOof2oiFLeEES6rj6Y6PeMfeiL0X0p.KnJO1Md3h4L.9JHG9nxWn3p0irR7ALVQ96W451ri4DbrKmg
Source: global traffic HTTP traffic detected: GET /ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y HTTP/1.1Host: cloudflare-ipfs.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2yAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=NckoPMHvKi0JTGMgrNlWoIZzabm5r3vIL5r6R4bzEAg-1716831013-1.0.1.1-hfNIKUgErOof2oiFLeEES6rj6Y6PeMfeiL0X0p.KnJO1Md3h4L.9JHG9nxWn3p0irR7ALVQ96W451ri4DbrKmg; __cf_mw_byp=CT7tcRP.LUBFLZgoIYhechJ50z8EjywmGLk7DrAEPUk-1716831012-0.0.1.1-/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /jquery-1.9.1.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /json/?key=pD3jjrEbn4o2CQ1 HTTP/1.1Host: pro.ip-api.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, */*; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://cloudflare-ipfs.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /json/?key=pD3jjrEbn4o2CQ1 HTTP/1.1Host: pro.ip-api.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /obufsssssssscaaatoion/ HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/bg_normal.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/logo-off-1.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/microsoft_logo.png/ HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/key_workshcool.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/person_workshcool.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/person_office.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/message_think.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/person_workshcool.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/logo-off-1.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/auth_number.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/microsoft_logo.png/ HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/call_2fa.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/key_workshcool.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/2fa_authenticator.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/godaddy-left.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/person_office.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/bg_normal.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/message_think.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/auth_number.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/call_2fa.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/2fa_authenticator.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /static/media/godaddy-left.png HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KVmkthM6DpEzyGv&MD=29UUu6lb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: www.kooss.com
Source: global traffic DNS traffic detected: DNS query: maplebearrabat.com
Source: global traffic DNS traffic detected: DNS query: cloudflare-ipfs.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: code.jquery.com
Source: global traffic DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic DNS traffic detected: DNS query: pro.ip-api.com
Source: global traffic DNS traffic detected: DNS query: aea14i7zphg.wqqqqop.shop
Source: global traffic DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic DNS traffic detected: DNS query: google.com
Source: unknown HTTP traffic detected: POST /obufsssssssscaaatoion/ HTTP/1.1Host: aea14i7zphg.wqqqqop.shopConnection: keep-aliveContent-Length: 104sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://cloudflare-ipfs.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://cloudflare-ipfs.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 17:30:13 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 14Connection: closeSet-Cookie: __cf_bm=NckoPMHvKi0JTGMgrNlWoIZzabm5r3vIL5r6R4bzEAg-1716831013-1.0.1.1-hfNIKUgErOof2oiFLeEES6rj6Y6PeMfeiL0X0p.KnJO1Md3h4L.9JHG9nxWn3p0irR7ALVQ96W451ri4DbrKmg; path=/; expires=Mon, 27-May-24 18:00:13 GMT; domain=.cloudflare-ipfs.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 88a7bb4b9dcb4213-EWRalt-svc: h3=":443"; ma=86400
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.2.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: chromecache_185.5.dr String found in binary or memory: http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: chromecache_185.5.dr String found in binary or memory: http://bugs.jquery.com/ticket/12282#comment:15
Source: chromecache_185.5.dr String found in binary or memory: http://bugs.jquery.com/ticket/12359
Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chromecache_185.5.dr String found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: chromecache_185.5.dr String found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: chromecache_185.5.dr String found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: chromecache_185.5.dr String found in binary or memory: http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_A
Source: chromecache_185.5.dr String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: chromecache_185.5.dr String found in binary or memory: http://jquery.com/
Source: chromecache_185.5.dr String found in binary or memory: http://jquery.org/license
Source: chromecache_185.5.dr String found in binary or memory: http://json.org/json2.js
Source: chromecache_185.5.dr String found in binary or memory: http://jsperf.com/getall-vs-sizzle/2
Source: chromecache_200.5.dr String found in binary or memory: http://schema.org/WebPage
Source: chromecache_185.5.dr String found in binary or memory: http://sizzlejs.com/
Source: chromecache_185.5.dr String found in binary or memory: http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
Source: chromecache_200.5.dr String found in binary or memory: https://apis.google.com
Source: chromecache_185.5.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: chromecache_185.5.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: chromecache_185.5.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: 800cdb10-a2d4-4d35-9dd5-f3647155a75a.tmp.3.dr, 740d5b8c-cc1f-4a93-94ce-f78452bfeba8.tmp.3.dr String found in binary or memory: https://chrome.cloudflare-dns.com
Source: chromecache_185.5.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: chromecache_185.5.dr String found in binary or memory: https://developer.mozilla.org/en/Security/CSP)
Source: chromecache_185.5.dr String found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: chromecache_200.5.dr String found in binary or memory: https://ogs.google.com/widget/app/so?awwd=1
Source: chromecache_200.5.dr String found in binary or memory: https://ogs.google.com/widget/callout?prid=19037050
Source: chromecache_200.5.dr String found in binary or memory: https://www.google.com/_/og/promos/
Source: chromecache_200.5.dr String found in binary or memory: https://www.google.com/intl/en/about/products
Source: chromecache_200.5.dr String found in binary or memory: https://www.google.com/url?q=https://accounts.google.com/signin/v2/identifier%3Fec%3Dfutura_hpp_co_s
Source: chromecache_200.5.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.s-_8OiN4zAs.2019.O/rt=j/m=qabr
Source: chromecache_200.5.dr String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm._yk4Kx1DLwg.L.W.O/m=qcwid/excm=qaaw
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55907
Source: unknown Network traffic detected: HTTP traffic on port 55936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55905
Source: unknown Network traffic detected: HTTP traffic on port 55951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55910
Source: unknown Network traffic detected: HTTP traffic on port 55954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55948 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55928
Source: unknown Network traffic detected: HTTP traffic on port 55938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55929
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55920
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55921
Source: unknown Network traffic detected: HTTP traffic on port 55957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55923
Source: unknown Network traffic detected: HTTP traffic on port 55930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55939
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55934
Source: unknown Network traffic detected: HTTP traffic on port 55935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55930
Source: unknown Network traffic detected: HTTP traffic on port 55952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 55946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 55921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55942
Source: unknown Network traffic detected: HTTP traffic on port 55932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55944
Source: unknown Network traffic detected: HTTP traffic on port 55955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55940
Source: unknown Network traffic detected: HTTP traffic on port 55926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55958
Source: unknown Network traffic detected: HTTP traffic on port 55958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55950
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55951
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55952
Source: unknown Network traffic detected: HTTP traffic on port 55950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55965
Source: unknown Network traffic detected: HTTP traffic on port 55934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55960
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55963
Source: unknown Network traffic detected: HTTP traffic on port 55928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55942 -> 443
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:55920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:55924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:55926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:55961 version: TLS 1.2

System Summary
barindex
Found potential malicious PDF (bad image similarity)
Source: 25_May_2024_eSign.pdf Static PDF information: Image stream: 11
Source: classification engine Classification label: mal100.phis.winPDF@31/107@32/13
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-05-27 13-30-08-477.log Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\25_May_2024_eSign.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1612 --field-trial-handle=1580,i,12606758722636301871,14801782710418106230,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.kooss.com/j7.php?url=https://m.exactag.com/ai.aspx?tc=d9047570bc40b07205bbd26a23a8d2e6b6b4f9&url=https://maplebearrabat.com/content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20=
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2004,i,16712865110461069709,7719260107902575291,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1612 --field-trial-handle=1580,i,12606758722636301871,14801782710418106230,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2004,i,16712865110461069709,7719260107902575291,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Google Drive.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: 25_May_2024_eSign.pdf Initial sample: PDF keyword /JS count = 0
Source: 25_May_2024_eSign.pdf Initial sample: PDF keyword /JavaScript count = 0
Source: 25_May_2024_eSign.pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448095 Sample: 25_May_2024_eSign.pdf Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 21 www.google.com 2->21 35 Found potential malicious PDF (bad image similarity) 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Antivirus detection for URL or domain 2->39 41 7 other signatures 2->41 8 chrome.exe 10 2->8         started        11 Acrobat.exe 20 64 2->11         started        signatures3 process4 dnsIp5 25 192.168.2.16, 137, 138, 443 unknown unknown 8->25 27 239.255.255.250 unknown Reserved 8->27 13 chrome.exe 8->13         started        16 AcroCEF.exe 108 11->16         started        process6 dnsIp7 29 cloudflare-ipfs.com 104.17.96.13, 443, 49707, 49708 CLOUDFLARENETUS United States 13->29 31 maplebearrabat.com 50.87.153.121, 443, 49703, 49706 UNIFIEDLAYER-AS-1US United States 13->31 33 10 other IPs or domains 13->33 18 AcroCEF.exe 6 16->18         started        process8 dnsIp9 23 23.47.168.24, 443, 55921 AKAMAI-ASUS United States 18->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.17.96.13
 cloudflare-ipfs.com United States
13335 CLOUDFLARENETUS true
142.250.186.68
 www.google.com United States
15169 GOOGLEUS false
104.21.96.107
 aea14i7zphg.wqqqqop.shop United States
13335 CLOUDFLARENETUS false
51.77.64.70
 pro.ip-api.com France
16276 OVHFR false
151.101.194.137
 code.jquery.com United States
54113 FASTLYUS false
172.217.18.4
 unknown United States
15169 GOOGLEUS false
140.227.127.195
 www.kooss.com Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
23.47.168.24
 unknown United States
16625 AKAMAI-ASUS false
239.255.255.250
 unknown Reserved
unknown unknown false
152.199.23.37
 cs1100.wpc.omegacdn.net United States
15133 EDGECASTUS false
50.87.153.121
 maplebearrabat.com United States
46606 UNIFIEDLAYER-AS-1US false
104.17.25.14
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.16

Contacted Domains

Name IP Active
www.kooss.com 140.227.127.195 true
google.com 142.250.186.142 true
cs1100.wpc.omegacdn.net 152.199.23.37 true
maplebearrabat.com 50.87.153.121 true
code.jquery.com 151.101.194.137 true
cdnjs.cloudflare.com 104.17.25.14 true
pro.ip-api.com 51.77.64.70 true
aea14i7zphg.wqqqqop.shop 104.21.96.107 true
cloudflare-ipfs.com 104.17.96.13 true
www.google.com 142.250.186.68 true
aadcdn.msftauth.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://maplebearrabat.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
https://cloudflare-ipfs.com/cdn-cgi/phish-bypass?atok=CT7tcRP.LUBFLZgoIYhechJ50z8EjywmGLk7DrAEPUk-1716831012-0.0.1.1-%2Fipfs%2Fbafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y false
  • Avira URL Cloud: safe
 unknown
https://aea14i7zphg.wqqqqop.shop/static/media/bg_normal.png false
  • Avira URL Cloud: malware
 unknown
https://aea14i7zphg.wqqqqop.shop/static/media/auth_number.png false
  • Avira URL Cloud: malware
 unknown
https://aea14i7zphg.wqqqqop.shop/static/media/godaddy-left.png false
  • Avira URL Cloud: malware
 unknown
https://maplebearrabat.com/content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20= true
  • SlashNext: Credential Stealing type: Phishing & Social Engineering
 unknown
https://aea14i7zphg.wqqqqop.shop/static/media/2fa_authenticator.png false
  • Avira URL Cloud: malware
 unknown
https://cloudflare-ipfs.com/favicon.ico false
  • URL Reputation: malware
 unknown
https://aea14i7zphg.wqqqqop.shop/static/media/call_2fa.png false
  • Avira URL Cloud: malware
 unknown
https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y true
    		unknown
    https://aea14i7zphg.wqqqqop.shop/static/media/logo-off-1.png false
    • Avira URL Cloud: malware
    		 unknown
    https://cloudflare-ipfs.com/cdn-cgi/styles/cf.errors.css false
    • 11%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://aea14i7zphg.wqqqqop.shop/obufsssssssscaaatoion/ false
    • Avira URL Cloud: malware
    		 unknown
    https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://aea14i7zphg.wqqqqop.shop/static/media/microsoft_logo.png/ false
    • Avira URL Cloud: malware
    		 unknown
    https://cloudflare-ipfs.com/cdn-cgi/images/icon-exclamation.png?1376755637 false
    • 11%, Virustotal, Browse
    • Avira URL Cloud: phishing
    		 unknown
    https://www.kooss.com/j7.php?url=https://m.exactag.com/ai.aspx?tc=d9047570bc40b07205bbd26a23a8d2e6b6b4f9&url=https://maplebearrabat.com/content/cauoaeox/jihu/YWNjb3VudHNyZWNlaXZhYmxlQGFjYWdsb2JhbC5jb20= false
    • Avira URL Cloud: safe
    		 unknown
    https://cloudflare-ipfs.com/ipfs/bafybeiclrj2xwfwignqrmjudvrsa7bbuecqrpcfskjfc3jj7t57lq7oi2y#accountsreceivable@acaglobal.com false
      		unknown
      https://code.jquery.com/jquery-1.9.1.js false
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		 unknown
      https://aea14i7zphg.wqqqqop.shop/static/media/message_think.png false
      • Avira URL Cloud: malware
      		 unknown
      https://pro.ip-api.com/json/?key=pD3jjrEbn4o2CQ1 false
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		 unknown
      https://aea14i7zphg.wqqqqop.shop/static/media/key_workshcool.png false
      • Avira URL Cloud: malware
      		 unknown
      https://aea14i7zphg.wqqqqop.shop/static/media/person_office.png false
      • Avira URL Cloud: malware
      		 unknown
      https://www.google.com/ false
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		 unknown
      https://aea14i7zphg.wqqqqop.shop/static/media/person_workshcool.png false
      • Avira URL Cloud: malware
      		 unknown