Windows Analysis Report
https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

Overview

General Information

Sample URL:	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)
Analysis ID:	1544429
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

AI detected landing page (webpage, office document or email)

AI detected suspicious URL

HTML body with high number of embedded images detected

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Phishing

AI detected phishing page

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

LLM: Score: 9 Reasons: The brand 'Microsoft Security' is associated with Microsoft, a well-known brand., The URL 'pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev' does not match the legitimate domain 'microsoft.com'., The domain 'r2.dev' is not associated with Microsoft and appears to be a generic or cloud service domain., The use of a subdomain with a long alphanumeric string is suspicious and often used in phishing attempts., The input fields labeled as 'u, n, k, n, o, w, n' do not provide clarity on their purpose, which is a common tactic in phishing sites to confuse users. DOM: 1.0.pages.csv

HTML body with high number of embedded images detected

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

HTTP Parser: Total embedded image size: 73676

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49731 version: TLS 1.2

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49724 -> 104.21.57.143:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49728 -> 104.21.57.143:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49730 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49733 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49736 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49739 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49741 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49743 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49746 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49752 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49754 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49756 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49758 -> 104.21.48.111:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10

Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Host: pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PW6G6dB3akADKmr&MD=6bVxdOz3 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /jquery-1.9.1.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-1.9.1.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/json/ HTTP/1.1Host: freeipapi.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, /; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/json/ HTTP/1.1Host: freeipapi.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PW6G6dB3akADKmr&MD=6bVxdOz3 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: freeipapi.com
Source: global traffic	DNS traffic detected: DNS query: 7feiapxrtg6.tkllop.online
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: ziumvqp0e8.dffjl.online

Source: unknown

HTTP traffic detected: POST /obufsssssssscaaatoion/ HTTP/1.1Host: 7feiapxrtg6.tkllop.onlineConnection: keep-aliveContent-Length: 117sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 11:18:57 GMTContent-Type: text/htmlContent-Length: 27150Connection: closeServer: cloudflareCF-RAY: 8da2c4908f9e2cbc-DFW

Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://bugs.jquery.com/ticket/12282#comment:15
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://bugs.jquery.com/ticket/12359
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_A
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://jquery.com/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://jquery.org/license
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://json.org/json2.js
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://jsperf.com/getall-vs-sizzle/2
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://sizzlejs.com/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://developer.mozilla.org/en/Security/CSP)
Source: chromecache_69.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: chromecache_69.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49731 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@17/19@22/12

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11828077503824926269,3476625149964184889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11828077503824926269,3476625149964184889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

LLM: Page contains button: 'VERIFY' Source: '1.0.pages.csv'

AI detected suspicious URL

Source: Email

JoeBoxAI: AI detected suspicious URL: URL: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.17.24.14	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
162.159.140.237	pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev	United States	13335	CLOUDFLARENETUS	true
151.101.2.137	unknown	United States	54113	FASTLYUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	freeipapi.com	European Union	13335	CLOUDFLARENETUS	false
104.21.57.143	7feiapxrtg6.tkllop.online	United States	13335	CLOUDFLARENETUS	false
151.101.194.137	code.jquery.com	United States	54113	FASTLYUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
104.21.48.111	ziumvqp0e8.dffjl.online	United States	13335	CLOUDFLARENETUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.16

Contacted Domains

Name	IP	Active
pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev	162.159.140.237	true
a.nel.cloudflare.com	35.190.80.1	true
code.jquery.com	151.101.194.137	true
cdnjs.cloudflare.com	104.17.25.14	true
freeipapi.com	188.114.97.3	true
www.google.com	142.250.185.228	true
7feiapxrtg6.tkllop.online	104.21.57.143	true
ziumvqp0e8.dffjl.online	104.21.48.111	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://a.nel.cloudflare.com/report/v4?s=S0fBBCnxNJXNyGaG8xD0yDPTm0c0UWhFOSBCRCd4dOk40UCOGg7wk8eXyxx5QfrIsiAwZ2I22YGRp1NhRJ4cUA1ia4z%2B0xNfq%2F3TLyiRUnOelZL0msLQm%2FfHbkFn%2BLY36MyfkV1ewCN3Id%2FO	false		unknown
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js	false	URL Reputation: safe	unknown
https://a.nel.cloudflare.com/report/v4?s=pyCwixMqQzILA5F9uawMnnXlgXhx2rUAOsLtKIndYi36ld8ns%2F98JCcVQRCwiIFJO3uOo7vtZpQNyMGRz9br04vxI5rNgQjW%2ByecjDm6wmRO8eBGG18pSnUICEN5rO2iuCmN1M%2BhQuPRxY%2FQ	false		unknown
https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/favicon.ico	false		unknown
https://code.jquery.com/jquery-1.9.1.js	false		unknown
https://ziumvqp0e8.dffjl.online/obufsssssssscaaatoion/	false		unknown
https://7feiapxrtg6.tkllop.online/obufsssssssscaaatoion/	false		unknown
https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html	false		unknown
https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	true		unknown
https://freeipapi.com/api/json/	false		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 10:18:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	076E0ACADE4CF6EC34583688D6B67326	218DCE4EB52E89E5259409CCFCF3D3F7A1B7CBB8	DCD44D039E58DCBB2D97D952F0AE284FFC5BCF2669482407052547B28DDCB0C5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 10:18:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	41E4CB386054889D7A8F8E78A61D88FE	3C856265691E497B3ABEB9EC0398FA068503D13D	5F4322B0C11655965020FCBD525A91D96883922C11C57FE0B914B2247ECB8059
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	82EE1CA04E96E567CFB283BCBFCDC4AF	03F668765D4E9635F25D6628AED194863719054C	06FF2F31F784111B2735747B0DBC12F0F625E4C85A07BEE14FD9C871CE28E655
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 10:18:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	FFC88E5288AB29E636455E3C3C41ED55	7699A59682B53002E3CD2DEF9AE4C64CAE28FEB2	B552E1DFDF0178212A7685D3848B60FCEF54CABE7D67DC7A27BEF127834CFCCD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 10:18:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	43B209BA2B46E06497A21BDEE6AD8D3B	BE54C28FAF4A38C0485830760070E67B3FB6648B	DEEFD4B3DD4E49F80D1AB7C34D64C119F5D750F357E714FED34E4FE811AE3686
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 10:18:54 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	AFFECC7B98B26D59F620098BC5DD75D2	86A1C2D9F3F6CF53CFB990105CF7E5EBF8AA119E	B7BC9F7818335E626BB2781F24870FBA1C31DD6FFE4EF00CFE010650AF066403
Chrome Cache Entry: 64	ASCII text, with very long lines (48316), with no line terminators	2CA03AD87885AB983541092B87ADB299	1A17F60BF776A8C468A185C1E8E985C41A50DC27	8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
Chrome Cache Entry: 65	JSON data	B0D6F602F273AEF991D0106FC3FBD889	9489C6BD28EB2C0F8068D33A804C4795A9CAA4EA	C9961A396F3A102C2479BFFD68B3B0835A83EB02105762627BCE3DD658F917CD
Chrome Cache Entry: 66	ASCII text	08C235D357750C657AC1DB7D1CF656A9	9257AFD2D46C3A189EC0D40A45722701D47E9CA5	7BD80D06C01C0340C1B9159B9B4A197DB882CA18CBAC8E9B9AA025E68F998D40
Chrome Cache Entry: 67	ASCII text, with very long lines (48316), with no line terminators	2CA03AD87885AB983541092B87ADB299	1A17F60BF776A8C468A185C1E8E985C41A50DC27	8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
Chrome Cache Entry: 68	ASCII text	08C235D357750C657AC1DB7D1CF656A9	9257AFD2D46C3A189EC0D40A45722701D47E9CA5	7BD80D06C01C0340C1B9159B9B4A197DB882CA18CBAC8E9B9AA025E68F998D40
Chrome Cache Entry: 69	HTML document, ASCII text, with very long lines (611)	46DD133EE00DC1BAE5E4EEBA7B88432F	8AF86A4AC91CE48C062216FB94A6E1D57618A19B	9EB52EE46C7AB5EA4CA0982415DA99FDED1B7D7354F75E50847BDAE6CB44EB66
Chrome Cache Entry: 70	HTML document, ASCII text, with very long lines (65446)	8D6EB6E73E2596575031566178CC276B	F3C7B0508486021F5CB6A4CE101560CC2408BB83	CB6BDCD74DF04F0ADBEC94C04FBD18A90505F92E3954BCCF8A6AD17CBF27B1A2
Chrome Cache Entry: 71	JSON data	B0D6F602F273AEF991D0106FC3FBD889	9489C6BD28EB2C0F8068D33A804C4795A9CAA4EA	C9961A396F3A102C2479BFFD68B3B0835A83EB02105762627BCE3DD658F917CD

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Phishing

AI detected phishing page

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

HTML body with high number of embedded images detected

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

HTTP Parser: Total embedded image size: 73676

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49731 version: TLS 1.2

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49724 -> 104.21.57.143:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49728 -> 104.21.57.143:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49730 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49733 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49736 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49739 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49741 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49743 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49746 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49752 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49754 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49756 -> 104.21.48.111:443
Source: Network traffic	Suricata IDS: 2047978 - Severity 2 - ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1 : 192.168.2.16:49758 -> 104.21.48.111:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10

Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Host: pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PW6G6dB3akADKmr&MD=6bVxdOz3 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /jquery-1.9.1.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-1.9.1.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/json/ HTTP/1.1Host: freeipapi.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, /; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.devSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/json/ HTTP/1.1Host: freeipapi.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=PW6G6dB3akADKmr&MD=6bVxdOz3 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: freeipapi.com
Source: global traffic	DNS traffic detected: DNS query: 7feiapxrtg6.tkllop.online
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: ziumvqp0e8.dffjl.online

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Oct 2024 11:18:57 GMTContent-Type: text/htmlContent-Length: 27150Connection: closeServer: cloudflareCF-RAY: 8da2c4908f9e2cbc-DFW

Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://bugs.jquery.com/ticket/12282#comment:15
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://bugs.jquery.com/ticket/12359
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_A
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://jquery.com/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://jquery.org/license
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://json.org/json2.js
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://jsperf.com/getall-vs-sizzle/2
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://sizzlejs.com/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://developer.mozilla.org/en/Security/CSP)
Source: chromecache_69.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_66.2.dr, chromecache_68.2.dr	String found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: chromecache_69.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49731 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@17/19@22/12

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11828077503824926269,3476625149964184889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1884,i,11828077503824926269,3476625149964184889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

LLM: Page contains button: 'VERIFY' Source: '1.0.pages.csv'

AI detected suspicious URL

Source: Email

JoeBoxAI: AI detected suspicious URL: URL: https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

ID:	1544429
Product:	CloudBasic
Start time:	12:18:21
Start date:	29.10.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)