Edit tour

Windows Analysis Report
https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2rxHefrHjZqY5SRIy9wKYZ9ERHf3zKK6o7ixiO4r4HIIwwj5RfSWrFWq-2FUbkZI-2FrBFl28oYsoQhEIuqeOt-2BjCiFlWuLC4rDo

Overview

General Information

Sample URL:	https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2r
Analysis ID:	1558824

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

HTML body contains low number of good links

HTML title does not match URL

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7128 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1948,i,1431956949486948433,14882087812796552089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2rxHefrHjZqY5SRIy9wKYZ9ERHf3zKK6o7ixiO4r4HIIwwj5RfSWrFWq-2FUbkZI-2FrBFl28oYsoQhEIuqeOt-2BjCiFlWuLC4rDomVqHzNhdvSab-2F-2Fw8d5IAtmQQI0BdCul9u12mfWcV4mFdLlsTdv9empaAUbuFjvZWnyaUm8GOERw44MojSA-3D-3D" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://imsoidc.bentley.com/connect/authorize?client_id=user-management&redirect_uri=https%3A%2F%2Fusermanagement.bentley.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20email%20user-management%20bentley-admin-api%20notification-service-20%20entitlement-search-service-2576%20ulas-product-information-2727%20agreements-2354&response_mode=form_post&nonce=638676423667396039.NzBlOWM4OTktOTFhYi00YmJkLTllNzYtMzZhZDhmYzUwMjAyOGMzOTFjZWQtZWViNC00ZTY5LWJmYzAtZGY1MjI5MDQ1YWUx&state=CfDJ8MKYeJ71b-9CueOVG07N9iuuFB_F8DYbFtOXu-nqWIKfVwrRunsryiib8HbqolyrqXBrmvhgbkw7frWWlLhwmjMt7bgN3FangX4Dz1SztrjK7cGoabkyPWoklfgcxi9A8bzWMxF61RuLoLSs53aCNfETg918YY7i_6rXM3441WSupl62Ng9vJSY-0XdEVq3ZLsvkErC1clObAEcdYx-PWnoL9bcMmhx8kBo_heWPKoCJLwhq_k8f-_kBzYS4bixJ8M2jsAbGeQJLYAFIfCPvfKY7bpEC5dBrWXy7SD5wLICnRVZ1eHhlrfua00aSIKyFHg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.6.0.0

HTTP Parser: Number of links: 0

HTTP Parser: Title: Sign In does not match URL

HTTP Parser: No <meta name="author".. found

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.68:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.177:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49727 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: global traffic	DNS traffic detected: DNS query: u8411862.ct.sendgrid.net
Source: global traffic	DNS traffic detected: DNS query: usermanagement.bentley.com
Source: global traffic	DNS traffic detected: DNS query: imsoidc.bentley.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: connect-cdn.bentley.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.68:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.177:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49727 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@18/13@12/145

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1948,i,1431956949486948433,14882087812796552089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2rxHefrHjZqY5SRIy9wKYZ9ERHf3zKK6o7ixiO4r4HIIwwj5RfSWrFWq-2FUbkZI-2FrBFl28oYsoQhEIuqeOt-2BjCiFlWuLC4rDomVqHzNhdvSab-2F-2Fw8d5IAtmQQI0BdCul9u12mfWcV4mFdLlsTdv9empaAUbuFjvZWnyaUm8GOERw44MojSA-3D-3D"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1948,i,1431956949486948433,14882087812796552089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2rxHefrHjZqY5SRIy9wKYZ9ERHf3zKK6o7ixiO4r4HIIwwj5RfSWrFWq-2FUbkZI-2FrBFl28oYsoQhEIuqeOt-2BjCiFlWuLC4rDomVqHzNhdvSab-2F-2Fw8d5IAtmQQI0BdCul9u12mfWcV4mFdLlsTdv9empaAUbuFjvZWnyaUm8GOERw44MojSA-3D-3D	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
prod.ims.bentley.proofidcloud.com	52.59.10.51	true	false	unknown
www.google.com	172.217.16.196	true	false	high
u8411862.ct.sendgrid.net	167.89.115.58	true	false	unknown
sni1gl.wpc.nucdn.net	152.199.21.175	true	false	high
imsoidc.bentley.com	unknown	unknown	false	unknown
connect-cdn.bentley.com	unknown	unknown	false	unknown
usermanagement.bentley.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://imsoidc.bentley.com/connect/authorize?client_id=user-management&redirect_uri=https%3A%2F%2Fusermanagement.bentley.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20email%20user-management%20bentley-admin-api%20notification-service-20%20entitlement-search-service-2576%20ulas-product-information-2727%20agreements-2354&response_mode=form_post&nonce=638676423667396039.NzBlOWM4OTktOTFhYi00YmJkLTllNzYtMzZhZDhmYzUwMjAyOGMzOTFjZWQtZWViNC00ZTY5LWJmYzAtZGY1MjI5MDQ1YWUx&state=CfDJ8MKYeJ71b-9CueOVG07N9iuuFB_F8DYbFtOXu-nqWIKfVwrRunsryiib8HbqolyrqXBrmvhgbkw7frWWlLhwmjMt7bgN3FangX4Dz1SztrjK7cGoabkyPWoklfgcxi9A8bzWMxF61RuLoLSs53aCNfETg918YY7i_6rXM3441WSupl62Ng9vJSY-0XdEVq3ZLsvkErC1clObAEcdYx-PWnoL9bcMmhx8kBo_heWPKoCJLwhq_k8f-_kBzYS4bixJ8M2jsAbGeQJLYAFIfCPvfKY7bpEC5dBrWXy7SD5wLICnRVZ1eHhlrfua00aSIKyFHg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.6.0.0	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.99	unknown	United States	15169	GOOGLEUS	false
142.250.185.206	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.186.163	unknown	United States	15169	GOOGLEUS	false
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
167.89.115.58	u8411862.ct.sendgrid.net	United States	11377	SENDGRIDUS	false
20.105.232.11	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.59.10.51	prod.ims.bentley.proofidcloud.com	United States	16509	AMAZON-02US	false
172.217.18.106	unknown	United States	15169	GOOGLEUS	false
152.199.21.175	sni1gl.wpc.nucdn.net	United States	15133	EDGECASTUS	false
64.233.184.84	unknown	United States	15169	GOOGLEUS	false
172.217.16.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558824
Start date and time:	2024-11-19 20:45:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2rxHefrHjZqY5SRIy9wKYZ9ERHf3zKK6o7ixiO4r4HIIwwj5RfSWrFWq-2FUbkZI-2FrBFl28oYsoQhEIuqeOt-2BjCiFlWuLC4rDomVqHzNhdvSab-2F-2Fw8d5IAtmQQI0BdCul9u12mfWcV4mFdLlsTdv9empaAUbuFjvZWnyaUm8GOERw44MojSA-3D-3D
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@18/13@12/145

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.185.206, 64.233.184.84, 34.104.35.123, 20.105.232.11, 172.217.18.106, 142.250.185.202, 142.250.184.202, 142.250.186.106, 142.250.181.234, 142.250.186.170, 142.250.185.234, 142.250.186.74, 142.250.185.170, 172.217.16.202, 142.250.186.42, 172.217.18.10, 142.250.74.202, 216.58.206.42, 142.250.186.138, 172.217.16.138
Excluded domains from analysis (whitelisted): prod-usermanagement-tm.trafficmanager.net, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, storageprodcdnendpoint.azureedge.net, content-autofill.googleapis.com, clientservices.googleapis.com, clients.l.google.com, storageprodcdnendpoint.ec.azureedge.net, waws-prod-am2-561-7d76.westeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://u8411862.ct.sendgrid.net/ls/click?upn=u001.L4PK-2B0-2BuGt9pUFq-2FA3Op7Q-2F-2F9qb88t-2BRGAR6VDZa-2FLvCRsA1Ac7AajOPJIbQO7IP307a6xjNpvY8ZU7zRp9oyg-3D-3DE1Fg_CPebASiKsSpOAa3SLW44RsJxX9ZLglP0y4de2rxHefrHjZqY5SRIy9wKYZ9ERHf3zKK6o7ixiO4r4HIIwwj5RfSWrFWq-2FUbkZI-2FrBFl28oYsoQhEIuqeOt-2BjCiFlWuLC4rDomVqHzNhdvSab-2F-2Fw8d5IAtmQQI0BdCul9u12mfWcV4mFdLlsTdv9empaAUbuFjvZWnyaUm8GOERw44MojSA-3D-3D

LLM Input / Output

Input	Output
URL: https://imsoidc.bentley.com/connect/authorize?client_id=user-management&redirect_uri=https%3A%2F%2Fusermanagement.bentley.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20email%20user-management%20bentley-admin-api%20notification-s Model: Joe Sandbox AI	```json { "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Next", "text_input_field_labels": [ "Email Address" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://imsoidc.bentley.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://imsoidc.bentley.com
URL: https://imsoidc.bentley.com/connect/authorize?client_id=user-management&redirect_uri=https%3A%2F%2Fusermanagement.bentley.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20email%20user-management%20bentley-admin-api%20notification-s Model: Joe Sandbox AI	```json { "brands": [ "Bentley" ] }
	```json { "brands": [ "Bentley" ] }
URL: https://imsoidc.bentley.com/connect/authorize?client_id=user-management&redirect_uri=https%3A%2F%2Fusermanagement.bentley.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20email%20user-management%20bentley-admin-api%20notification-s Model: Joe Sandbox AI	```json{ "legit_domain": "bentley.com", "classification": "known", "reasons": [ "The domain 'bentley.com' matches the legitimate domain for Bentley Systems, a known software company.", "The URL 'imsoidc.bentley.com' is a subdomain of 'bentley.com', which is common for legitimate services and applications hosted by the company.", "The brand 'Bentley' is classified as 'known' due to its recognition in the software industry.", "The presence of a subdomain 'imsoidc' does not inherently indicate phishing, as companies often use subdomains for different services.", "No suspicious elements such as misspellings or unusual domain extensions were found in the URL." ], "riskscore": 2}
URL: imsoidc.bentley.com Brands: Bentley Input Fields: Email Address
URL: https://bentley.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://bentley.com

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 19 18:46:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9880758583277838
Encrypted:	false
SSDEEP:
MD5:	7DA018B2B0EC18DA0EC5DD7685A3A0A7
SHA1:	D9E56B0A08CFE295944010AFB2F020D1EB292182
SHA-256:	487DBDD3F0E212D2289375AE2D16384ED62956BD6622E1A2EC85C048CE516383
SHA-512:	E23CD79D6AD02863C2334AF219042A7F05ACC064C2D33534BF00F1EDB018DCB40A6165B63B2389B60875830B547E8E57439BDD24030500BF9C8A729380733D67
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....zD(..:..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IsY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VsY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VsY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VsY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VsY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<#.j.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 19 18:46:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.005223451011353
Encrypted:	false
SSDEEP:
MD5:	1534D6CEA1362CE90F16D29EFF4EF964
SHA1:	1D92E15D2B1D84D83EBD96425F6B09E102740C7E
SHA-256:	4BA15A59E5A84137014731B7A37F9A1D644443DC0157EBF8813984A997401F25
SHA-512:	3E518B8C9A0CE9F3A311CFC8004A039C0FCDB37A56930890BD907C75ED479BB49BA023264262AA36EFE0B8EAA50E0E8DDF3F46FC44BFC8E5FF60771650C5DEC1
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....%...:..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IsY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VsY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VsY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VsY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VsY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<#.j.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.011460438807137
Encrypted:	false
SSDEEP:
MD5:	975F6FDB3719FC0456193A03AE302D28
SHA1:	CE978BB020C7F3E391939995B4BA88257F8211BB
SHA-256:	D8DC0CF069ABA501ECA693390A3B0FDA549C504E0288AFF6DF0D2BF577892629
SHA-512:	A2BDC96792439119A05AB76DE2FDCD590A8DB037100DB495C5F405A3B96976191131AE74A65A4973EE4681817DA3FA7086D3938FDDC2FA16443E79C304F746AD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IsY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VsY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VsY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VsY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<#.j.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 19 18:46:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.000109364202331
Encrypted:	false
SSDEEP:
MD5:	1DC6EF0CAC795DABB2BAAD2ECF724186
SHA1:	0CAB94AB087C3190D5AFB34F9E67A23438C166D3
SHA-256:	8640648F14DEFA4C59F434681126474505724890EE6972D1992F82A545F9319D
SHA-512:	836D44FFEED72BC06DC50C30D6FDDCF977218A5C75525EC211DF2ADDBB120CDD26502E08C92A1400D58470BC97875D0CEE9A576B616A6A930F75DBC319CEEB5E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....4n...:..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IsY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VsY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VsY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VsY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VsY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<#.j.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 19 18:46:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.989929359959336
Encrypted:	false
SSDEEP:
MD5:	CD8572D5DE4DC8DD04982AB8CA6F60ED
SHA1:	F34F0A2036C3E8A10A7DD4EDEA75D2AFE81A963D
SHA-256:	31D051F0AD847DABFFC0A71F2CFD02EC60FA3F504F7235B32D1C06173CE64066
SHA-512:	D17DEEA5005B097565826AB6BF23B51C30F4D8F34DAEA491C1FFF24F503E12E001EB21593ED51A66D93C506859C79B0D80A1DFBCF91B5215ACF36AF988E238AF
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....x"..:..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IsY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VsY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VsY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VsY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VsY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<#.j.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Nov 19 18:46:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.001142426343063
Encrypted:	false
SSDEEP:
MD5:	2523D48F552C181664EC0CF85ECAD59C
SHA1:	443DDAE5961A0660719D83DEADEB4B0D0605DFB6
SHA-256:	7A235D8C8FA7AC940A57E6733A96BF141E048E6804F8FC026FF6388E0C16D7B6
SHA-512:	F660C7FFD71394B16130C3E6E0416FD487DB072E65989D3553A0AF7F661905D015E97462980E8F11AD85F4F05137E8E6CF0B962C25DCAE99665FB871995B0352
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........:..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IsY......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VsY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VsY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VsY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VsY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........<#.j.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	20
Entropy (8bit):	3.7464393446710154
Encrypted:	false
SSDEEP:
MD5:	AE51FBC3D399F749B61F9BDF72563826
SHA1:	EC6F460E2F5743D38DD184B43CB3ED60B52F8110
SHA-256:	CCE094DF4D24E9B75D6329FE80DDF2BC29EEE4AAF1282D10EA173DE7F6A842CE
SHA-512:	E6A8B3320F302164B80F86C7F2D2CD2100ECE8904B6530D5A76EB0313CF5639EDCEA01E590FD31113EC3C2666AE94B981FF1599CCBAB69171DF10688ECCCF829
Malicious:	false
Reputation:	unknown
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAlUgwtl0ReM5BIFDXjbCXo=?alt=proto
Preview:	Cg0KCw142wl6GgQIZBgC

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (505)
Category:	downloaded
Size (bytes):	6693
Entropy (8bit):	5.1840767008408255
Encrypted:	false
SSDEEP:
MD5:	751ACB8BC400000AB915573523CE3AEC
SHA1:	41AF039A53702C10161BA9A526B68485ADD3E8DC
SHA-256:	D766DB52A53ABBA4083FE9E4808926018A87E13291DE5A901C2686A6670134D1
SHA-512:	051D3478E98CDE3AD4002B346E57F084B35BFB15357B3572FF5CCCDE14A4BE09253E6582C71EDAB4B5E5CD9519307AF36543A3E0C823EA831DBF12A4BB5298F4
Malicious:	false
Reputation:	unknown
URL:	https://imsoidc.bentley.com/assets/css/ims-overrides.css
Preview:	.ping-container {. display: flex;. align-items: center;.}...ping-header {. background-color: transparent;. box-shadow: none;.}..#company-logo-div-text {. display: none;.}..ping-body-container {. border-radius: 3px;. box-shadow: 0px 1px 3px 0px rgba(0, 0, 0, 0.2);. padding: 32px;. background-color: #FFF;. background-color: var(--iui-color-background-1);.}...ping-input-label {. text-transform: none;.}...ping-copyright {. color: rgba(0,0,0,0.4);. color: var(--iui-text-color-muted);.}..#registrationLink {. font-size: 14px;.}..input[type=button], input[type=submit], .ping-button, .button, button {. padding: 0 16px;. margin-right: 10px;. font-size: 14px;. height: 36px;. line-height: 32px;. -webkit-border-radius: 3px; . -moz-border-radius: 3px; . -ms-border-radius: 3px; . border-radius: 3px; . position: relative;. display: inline-block;. font-family: 'Open Sans', BlinkMacSystemFont, -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji",

Chrome Cache Entry: 71

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2822
Entropy (8bit):	4.881916041767234
Encrypted:	false
SSDEEP:
MD5:	225DEEC88DD9EE4CCD1BD878F159050F
SHA1:	F623190B386DEE074D4AD444F38AD46C1B9AE23C
SHA-256:	EDF53B579279A1E8C6D76ED0720DD6F6397DE5551EB45D7CAA785D1086EDBF54
SHA-512:	D8602BE7A0A1B9D088096A8E4A0AF09DF2D67B5A76590D0858A7DBE53116D611AB3D106AD95A7C59BD65749E39610441159D20417DDBD47F88FB4FC6BFB1FA88
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Generator: Adobe Illustrator 27.9.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->..<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="400" height="100"... viewBox="0 0 1286 308.6" style="enable-background:new 0 0 1286 308.6;" xml:space="preserve">..<style type="text/css">....st0{fill:#19191A;}..</style>..<g>...<path class="st0" d="M198.9,118.1c15.8-3.6,36.9-25.4,36.9-57.7C235.9,23.7,205.5,0,161,0H29.5v99.4H0v40.9h29.5v102.1h142.8....c46.5,0,76.2-29,76.2-68.3C248.4,139.2,222.7,119.4,198.9,118.1L198.9,118.1z M73.6,40.6h77.5c24.7,0,40.2,12.5,40.2,30....c0,17.5-12.5,29-33,29H73.6V40.6L73.6,40.6z M162,201.8H73.6v-61.7h89c25.4,0,41.2,10.6,41.2,26.7....C203.9,187.3,187.7,201.8,162,201.8L162,201.8z"/>...<path class="st0" d="M357.2,55.1c-54.4,0-96.9,40.6-96.9,95.3c0,65.3,50.1,96,99.9,96c36.9,0,71.6-18.5,86.7-44.8l-32-23.4....c-11.5,16.8-28.4,28.7-52.8,28.7c-25.1

Chrome Cache Entry: 72

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	45468
Entropy (8bit):	4.755598662562364
Encrypted:	false
SSDEEP:
MD5:	1A3A651FFED94057E873D07A03443381
SHA1:	47F0CB3DAE634E453224F90A449B11164322B488
SHA-256:	82FC24301A47A186C834EB5768AD3677E9A8E554ED6A5BA1BD23948D42EEF33C
SHA-512:	82C90771CB5C7980B0010AF469DC0CD009CC554388F32AF092492B11942B051A959A97F2F606907BB911E2ED67128E1CE82E93385CF2C4CAEE19EBA9DAA4650B
Malicious:	false
Reputation:	unknown
URL:	https://imsoidc.bentley.com/assets/css/inputs.css
Preview:	/---------------------------------------------------------------------------------------------. Copyright (c) Bentley Systems, Incorporated. All rights reserved.. * See LICENSE.md in the project root for license terms and full copyright notice.. --------------------------------------------------------------------------------------------/..iui-input-container{. margin:0;. padding:0;. border:none;. vertical-align:baseline;. display:-ms-grid;. display:grid;. -ms-grid-rows:auto auto;. -ms-grid-columns:auto 1fr;. grid-template:'label label' 'inputs inputs' / auto 1fr;. cursor:default; }. .iui-input-container.iui-inline-icon:not(.iui-inline-label) .iui-input-icon{. -ms-grid-row:2;. -ms-grid-column:2; }. .iui-input-container.iui-inline-icon > .iui-input,. .iui-input-container.iui-inline-icon > .iui-textarea{. padding-right:40px; }. .iui-input-container.iui-inline-icon > .iui-input:last-child,. .iui-input-container.iui-inline-icon > .iui-textarea:last-child

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	18236
Entropy (8bit):	4.775654785242883
Encrypted:	false
SSDEEP:
MD5:	11869A7766C53E9BF26B1E5AFF87B642
SHA1:	43B06942524741D0EFEDFDD63D77B449ECB52274
SHA-256:	93111A91E20370B69963D9DA39FA922A2F32CF2C192E469E82ED72459FAA640D
SHA-512:	A4B6F0AA09A4027F53311A0B10CEF4B213FBD5F269017B52E255C7E9CB42303F6A431C562AEA117D5F7F4DEBE1D98FE9959E29202805BF43894B1C96B277B6D5
Malicious:	false
Reputation:	unknown
URL:	https://imsoidc.bentley.com/assets/css/global.css
Preview:	/---------------------------------------------------------------------------------------------. Copyright (c) Bentley Systems, Incorporated. All rights reserved.. * See LICENSE.md in the project root for license terms and full copyright notice.. --------------------------------------------------------------------------------------------/..iui-body{. background-color:#F8F9FB;. color:rgba(0, 0, 0, 0.8);. background-color:var(--iui-color-background-2);. color:var(--iui-text-color);. font-size:14px;. line-height:22px;. scrollbar-color:rgba(0, 0, 0, 0.4) transparent;. scrollbar-width:thin;. scrollbar-color:rgba(var(--iui-color-foreground-body-rgb), var(--iui-opacity-4)) transparent;. scrollbar-width:thin;. font-family:"Open Sans", -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Helvetica Neue", Arial, sans-serif; }. .iui-body::-webkit-scrollbar{. width:8px;. height:8px; }. .iui-body::-webkit-scrollbar-thumb{. background-color:rgba(0, 0, 0, 0.4);. back

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	32038
Entropy (8bit):	3.5700586343594214
Encrypted:	false
SSDEEP:
MD5:	87A3E2C2EB0FC326219DB1D093CA895A
SHA1:	EB3D1E824F60D9BD67DD2FBCCA72AE4A744545DF
SHA-256:	508681DA935F3835C0006E8BF21D360EBE8611300C2B8ECBC88BB3D9CD5918C0
SHA-512:	64F5A7963F8B3FFA1F6F254C6A9667A85C4C3678ACD25ADA6693FBE56B4CD318C4866B9A8ECCC21B64849D1A5F7E43B730C924A5F516E13D90596DCA973020C8
Malicious:	false
Reputation:	unknown
URL:	https://connect-cdn.bentley.com/cdn/en/favicon.ico
Preview:	............ .h...F... .... .........00.... ..%..V...@@.... .(B...:..(....... ..... .................................,.D.,.D.,.DJ,.D.,.D.,.D.,.D.,.D.,.D.,.DK,.D.,.D.........,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.+.C..B.).B.).B.).B.).B..C.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.+.C.7.M.T.g.U.i.U.i.U.i.U.h.E.Z.-.E.,.D.,.D.,.D.,.D.,.DI,.D.,.D.).A._.q............................/.G.,.D.,.D.,.DL,.D.,.D.,.D.).A.b.t........h.y.j.{.q..........R.f..B.,.D.,.D.,.D.,.D.,.D.).A.c.u.....n...%.>.).A.'.@........].o.).A.,.D.,.D.,.D.,.D..B.O.c..............................7.N.+.C.,.D.,.D.,.D.,.D..B.R.f.............................l.\|.).B.,.D.,.D.,.D.,.D.,.D.,.D..B.e.w.....p..).A.+.C.9.O........./.G.,.D.,.D.,.D.,.D.,.D.,.D.).A.b.t........j.{.l.}............0.G.,.D.,.D.,.D.,.DH,.D.,.D.).A.^.q.........................`.r..C.,.D.,.D.,.DK,.D.,.D.,.D.+.C.6.M.R.e.S.g.S.g.S.g.P.d.;.Q.+.C.,.D.,.D.,.D.,.D.,.D.,.D.,.D.,.D.+.C..B..B..B..B..B.+.C.,.D.,.D.,.D.,.

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (706)
Category:	downloaded
Size (bytes):	172471
Entropy (8bit):	4.920197170534048
Encrypted:	false
SSDEEP:
MD5:	261BC00926ACBE4F634FA87B614E2A79
SHA1:	EA39A6435E1E9CB4FE32208B81B53C2C52921CA4
SHA-256:	FEC59CEA24FBCE3079E4FE268B7E57CF4B31222E1F8372331247CAA8B6589FC7
SHA-512:	809901BAACC4BD6C95314122B6C54E588276B222A618BFAA7D4D7C56D4DF1D0C34AE2C22DA0F097DCF3AF8E84887F8D325200FCE2F57E443DB3B26580B536DB1
Malicious:	false
Reputation:	unknown
URL:	https://imsoidc.bentley.com/assets/css/main.css
Preview:	@charset "UTF-8";./* Eric Meyer's Reset CSS v2.0 - http://cssreset.com */.html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video {. border: 0;. font-size: 100%;. font: inherit;. vertical-align: baseline;. margin: 0;. padding: 0;.}..article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section {. display: block;.}..body {. line-height: 1;. overflow-y: scroll;. overflow-y: overlay;.}..ol, ul {. list-style: none;.}..blockquote, q {. quotes: none;.}..blockquote:before, blockquote:after, q:before, q:after {. content: none;.}

Static File Info

⊘No static file info

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Static File Info