Edit tour

Windows Analysis Report
AllItems.htm

Overview

General Information

Sample name:	AllItems.htm
Analysis ID:	1584962
MD5:	f6b200ff75fb02b13238f7aa6eef9884
SHA1:	6659fae7863d8f297ac7b73b9868a1f151d34c87
SHA256:	65a5d32dee75db73ea0801727911a7cb6a4aebeb9c016168e7bd2089b818b45f
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected HtmlPhish54

HTML IFrame injector detected

HTML Script injector detected

HTML file submission containing password form

Suspicious Javascript code found in HTML file

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

IP address seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6408 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\AllItems.htm" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2168,i,5801467971831341747,16495345318854504296,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
1.1.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security
1.3.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security
1.4.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://login.microsoftonline.de

Avira URL Cloud: Label: phishing

Phishing

Yara detected HtmlPhish54

Source: Yara match	File source: 1.1.pages.csv, type: HTML
Source: Yara match	File source: 1.3.pages.csv, type: HTML
Source: Yara match	File source: 1.4.pages.csv, type: HTML

HTML IFrame injector detected

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: New IFrame, src: https://login.microsoftonline.com/c9de0af1-361b-42ae-ace3-ab4cea6cb8dc/oauth2/v2.0/authorize?client_id=08e18876-6177-487e-b8b5-cf950c1e598c&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default%20openid%20profile%20offline_access&redirect_uri=file%3A%2F%2F%2F_forms%2Fspfxsinglesignon.aspx&client-request-id=7a307eba-92b8-4ce1-bea8-55453e5791af&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=3.23.0&client_info=1&code_challenge=kK8mj1gIdsKkp3-AxAJoq0nRMSurq2Y3tUblUs1MeOE&code_challenge_method=S256&prompt=none&sid=6127e541-3b23-4e25-814d-865511e288a0&nonce=01943d32-e895-7957-88b5-149090293787&state=eyJpZCI6IjAxOTQzZDMyLWU4OTMtNzdlNC1hOTVhLTQ1OGNiMWMzM2RhZCIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: New script, src: https://res-1.cdn.office.net:443/files/sp-client/listview-host-assembly_en-us_541cd748742f26cf433e8a419f82256f.js?1736193525767
Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: New script, src: https://res-1.cdn.office.net:443/files/sp-client/listview-host-assembly_en-us_541cd748742f26cf433e8a419f82256f.js?1736193525767
Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: New script, src: https://res-1.cdn.office.net:443/files/sp-client/listview-host-assembly_en-us_541cd748742f26cf433e8a419f82256f.js?1736193525767

Suspicious Javascript code found in HTML file

Source: AllItems.htm	HTTP Parser: .location
Source: AllItems.htm	HTTP Parser: .location

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: Base64 decoded: {"id":"01943d32-e893-77e4-a95a-458cb1c33dad","meta":{"interactionType":"silent"}}

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: Title: Redirecting does not match URL

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: No favicon

Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/AllItems.htm	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\LICENSE.txt

Jump to behavior

Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.0.dr
Source:	Binary string: C:\b\s\w\ir\x\w\rc\cdm\protected\out\Release\widevinecdm.dll.pdb source: widevinecdm.dll.0.dr

Source: global traffic

TCP traffic: 192.168.2.4:58140 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.136.10 13.107.136.10
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /sites/apps/ClientSideAssets/27fe8d27-ddaa-4de9-ad0e-01deffdee2e8/nitro-pro-command-set_c69ae53f4c80ee966df6.js HTTP/1.1Host: trwd.sharepoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/apps/ClientSideAssets/27fe8d27-ddaa-4de9-ad0e-01deffdee2e8/NitroProCommandSetStrings_en-us_6663b8dfe1b17302d49ea125b48147b5.js HTTP/1.1Host: trwd.sharepoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_layouts/15/images/favicon.ico?%20rev=47 HTTP/1.1Host: trwd.sharepoint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_layouts/15/images/favicon.ico?%20rev=47 HTTP/1.1Host: trwd.sharepoint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: trwd.sharepoint.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: m365cdn.nel.measure.office.net
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net

Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: http://169.254.169.254/metadata/instance/compute/location
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chromecache_236.2.dr, chromecache_167.2.dr, chromecache_245.2.dr, chromecache_169.2.dr	String found in binary or memory: http://fb.me/use-check-prop-types
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: widevinecdm.dll.0.dr, Google.Widevine.CDM.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chromecache_238.2.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: sets.json.0.dr	String found in binary or memory: https://07c225f3.online
Source: chromecache_248.2.dr, chromecache_187.2.dr	String found in binary or memory: https://1drv.com/
Source: sets.json.0.dr	String found in binary or memory: https://24.hu
Source: sets.json.0.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.0.dr	String found in binary or memory: https://abczdrowie.pl
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://aka.ms/msaljs/optional-claims
Source: sets.json.0.dr	String found in binary or memory: https://alice.tw
Source: sets.json.0.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.0.dr	String found in binary or memory: https://autobild.de
Source: sets.json.0.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.0.dr	String found in binary or memory: https://bild.de
Source: sets.json.0.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.0.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.0.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.0.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.0.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.0.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.0.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.0.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.0.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.0.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.0.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.0.dr	String found in binary or memory: https://cardsayings.net
Source: chromecache_248.2.dr, chromecache_187.2.dr	String found in binary or memory: https://centralus1-mediad.svc.ms
Source: sets.json.0.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.0.dr	String found in binary or memory: https://chennien.com
Source: sets.json.0.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.0.dr	String found in binary or memory: https://clarosports.com
Source: manifest.json1.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: sets.json.0.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.0.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.0.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.0.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.0.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.0.dr	String found in binary or memory: https://cookreactor.com
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: sets.json.0.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.0.dr	String found in binary or memory: https://css-load.com
Source: sets.json.0.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.0.dr	String found in binary or memory: https://deere.com
Source: sets.json.0.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.0.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.0.dr	String found in binary or memory: https://drimer.io
Source: sets.json.0.dr	String found in binary or memory: https://drimer.travel
Source: LICENSE.txt.0.dr	String found in binary or memory: https://easylist.to/)
Source: sets.json.0.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.0.dr	String found in binary or memory: https://een.be
Source: sets.json.0.dr	String found in binary or memory: https://efront.com
Source: sets.json.0.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.0.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.0.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.0.dr	String found in binary or memory: https://ella.sv
Source: sets.json.0.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.0.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.0.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.0.dr	String found in binary or memory: https://finn.no
Source: sets.json.0.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.0.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.0.dr	String found in binary or memory: https://gettalkdesk.com
Source: LICENSE.txt.0.dr	String found in binary or memory: https://github.com/easylist)
Source: chromecache_228.2.dr, chromecache_158.2.dr	String found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
Source: sets.json.0.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.0.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.0.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://grid.id
Source: sets.json.0.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.0.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.0.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.0.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://hapara.com
Source: sets.json.0.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.global
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.0.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.0.dr	String found in binary or memory: https://hearty.app
Source: sets.json.0.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.0.dr	String found in binary or memory: https://hearty.me
Source: sets.json.0.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.0.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.0.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.0.dr	String found in binary or memory: https://hj.rs
Source: sets.json.0.dr	String found in binary or memory: https://hjck.com
Source: sets.json.0.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.0.dr	String found in binary or memory: https://html-load.com
Source: sets.json.0.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.0.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.0.dr	String found in binary or memory: https://img-load.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.0.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.0.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.0.dr	String found in binary or memory: https://interia.pl
Source: sets.json.0.dr	String found in binary or memory: https://intoday.in
Source: sets.json.0.dr	String found in binary or memory: https://iolam.it
Source: sets.json.0.dr	String found in binary or memory: https://ishares.com
Source: sets.json.0.dr	String found in binary or memory: https://jagran.com
Source: sets.json.0.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.0.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.0.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.0.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.0.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.0.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.0.dr	String found in binary or memory: https://libero.it
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.0.dr	String found in binary or memory: https://livechat.com
Source: sets.json.0.dr	String found in binary or memory: https://livechatinc.com
Source: chromecache_248.2.dr, chromecache_187.2.dr	String found in binary or memory: https://livefilestore.com/
Source: sets.json.0.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.0.dr	String found in binary or memory: https://livemint.com
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.chinacloudapi.cn
Source: chromecache_229.2.dr	String found in binary or memory: https://login.chinacloudapi.cn/
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.com
Source: chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.com/common/
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.de
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.us
Source: chromecache_229.2.dr	String found in binary or memory: https://login.microsoftonline.us/
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.partner.microsoftonline.cn/
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://login.windows-ppe.net
Source: sets.json.0.dr	String found in binary or memory: https://max.auto
Source: chromecache_248.2.dr, chromecache_187.2.dr	String found in binary or memory: https://media.cloudapp.net
Source: sets.json.0.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.0.dr	String found in binary or memory: https://meo.pt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: chromecache_236.2.dr, chromecache_245.2.dr	String found in binary or memory: https://microsoft.spfx3rdparty.com
Source: sets.json.0.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.0.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.0.dr	String found in binary or memory: https://money.pl
Source: sets.json.0.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.0.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://nacion.com
Source: sets.json.0.dr	String found in binary or memory: https://naukri.com
Source: sets.json.0.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.co
Source: sets.json.0.dr	String found in binary or memory: https://nien.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.org
Source: sets.json.0.dr	String found in binary or memory: https://nlc.hu
Source: chromecache_248.2.dr, chromecache_187.2.dr	String found in binary or memory: https://northcentralus1-medias.svc.ms
Source: sets.json.0.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.0.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.0.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.0.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.0.dr	String found in binary or memory: https://o2.pl
Source: sets.json.0.dr	String found in binary or memory: https://ocdn.eu
Source: AllItems.htm	String found in binary or memory: https://onedrive.live.com/?gologin=1
Source: sets.json.0.dr	String found in binary or memory: https://onet.pl
Source: sets.json.0.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.0.dr	String found in binary or memory: https://p106.net
Source: sets.json.0.dr	String found in binary or memory: https://p24.hu
Source: sets.json.0.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.0.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.0.dr	String found in binary or memory: https://player.pl
Source: sets.json.0.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.0.dr	String found in binary or memory: https://poalim.site
Source: sets.json.0.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.0.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.0.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.0.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.0.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.0.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://radio1.be
Source: sets.json.0.dr	String found in binary or memory: https://radio2.be
Source: chromecache_169.2.dr	String found in binary or memory: https://reactjs.org/link/react-polyfills
Source: sets.json.0.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://repid.org
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2024-12-06.004/
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp-media-e3b50469
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.1ds/odsp.1ds.lib-9f75f7e2
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.fluentui.core/fui.core-fb899173
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.fluentui.utilities/fui.util-93de749b
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.react/odsp.react.lib-9ea4d016
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.tslib/tslib-6a7224b3
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net/files/sp-client/odsp.utilities/odsp.util-90e28871
Source: AllItems.htm	String found in binary or memory: https://res-1.cdn.office.net:443/files/sp-client/listview-host-assembly_en-us_541cd748742f26cf433e8a
Source: AllItems.htm	String found in binary or memory: https://res-2.cdn.office.net/files/odsp-web-prod_2024-12-06.004/
Source: AllItems.htm	String found in binary or memory: https://res-2.cdn.office.net:443/files/sp-client/listview-host-assembly_en-us_541cd748742f26cf433e8a
Source: sets.json.0.dr	String found in binary or memory: https://reshim.org
Source: sets.json.0.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.0.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.0.dr	String found in binary or memory: https://samayam.com
Source: sets.json.0.dr	String found in binary or memory: https://sapo.io
Source: sets.json.0.dr	String found in binary or memory: https://sapo.pt
Source: AllItems.htm	String found in binary or memory: https://shell.cdn.office.net
Source: AllItems.htm	String found in binary or memory: https://shell.cdn.office.net/api/ShellBootstrapper/business/OneShell
Source: sets.json.0.dr	String found in binary or memory: https://shock.co
Source: sets.json.0.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.0.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.0.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.0.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.0.dr	String found in binary or memory: https://songshare.com
Source: sets.json.0.dr	String found in binary or memory: https://songstats.com
Source: AllItems.htm	String found in binary or memory: https://spoprod-a.akamaihd.net/files/odsp-common-library-prod_2019-02-15_20190219.002/require.js
Source: sets.json.0.dr	String found in binary or memory: https://sporza.be
Source: sets.json.0.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.0.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.0.dr	String found in binary or memory: https://stripe.com
Source: sets.json.0.dr	String found in binary or memory: https://stripe.network
Source: sets.json.0.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.0.dr	String found in binary or memory: https://supereva.it
Source: sets.json.0.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.0.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.0.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.0.dr	String found in binary or memory: https://text.com
Source: sets.json.0.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://the42.ie
Source: sets.json.0.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.0.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.0.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.0.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.com
Source: chromecache_240.2.dr, chromecache_229.2.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7515
Source: sets.json.0.dr	String found in binary or memory: https://top.pl
Source: sets.json.0.dr	String found in binary or memory: https://tribunnews.com
Source: AllItems.htm	String found in binary or memory: https://trwd.sharepoint.com/_layouts/15/images/favicon.ico?%20rev=47
Source: AllItems.htm	String found in binary or memory: https://trwd.sharepoint.com/sites/trwdsecresponseteam
Source: AllItems.htm	String found in binary or memory: https://trwd.sharepoint.com/sites/trwdsecresponseteam/Shared%20Documents/Forms/AllItems.aspx?id=%2Fs
Source: AllItems.htm	String found in binary or memory: https://trwd.sharepoint.com/sites/trwdsecresponseteam/_layouts/15/DocIdRedir.aspx?ID=NAH345HN3FVM-78
Source: AllItems.htm	String found in binary or memory: https://trwd.sharepoint.com:443/_api/v2.0/drives/b
Source: sets.json.0.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://tvid.in
Source: sets.json.0.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.0.dr	String found in binary or memory: https://unotv.com
Source: sets.json.0.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.0.dr	String found in binary or memory: https://vrt.be
Source: sets.json.0.dr	String found in binary or memory: https://vwo.com
Source: sets.json.0.dr	String found in binary or memory: https://welt.de
Source: sets.json.0.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.0.dr	String found in binary or memory: https://wildix.com
Source: sets.json.0.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.0.dr	String found in binary or memory: https://wingify.com
Source: sets.json.0.dr	String found in binary or memory: https://wordle.at
Source: sets.json.0.dr	String found in binary or memory: https://wp.pl
Source: sets.json.0.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.0.dr	String found in binary or memory: https://www.asadcdn.com
Source: AllItems.htm	String found in binary or memory: https://www.office.com/login?prompt=select_account&ru=%2Flaunch%2Fsharepoint
Source: AllItems.htm	String found in binary or memory: https://www.office.com/login?ru=%2Flaunch%2Fsharepoint
Source: sets.json.0.dr	String found in binary or memory: https://ya.ru
Source: sets.json.0.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://zalo.me
Source: sets.json.0.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.0.dr	String found in binary or memory: https://zoom.com
Source: sets.json.0.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58317
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58156
Source: unknown	Network traffic detected: HTTP traffic on port 58317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58156 -> 443

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_6408_312646171

Jump to behavior

Source: widevinecdm.dll.0.dr	Static PE information: Number of sections : 13 > 10
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal72.phis.winHTM@30/186@22/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\AllItems.htm"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2168,i,5801467971831341747,16495345318854504296,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2168,i,5801467971831341747,16495345318854504296,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.0.dr
Source:	Binary string: C:\b\s\w\ir\x\w\rc\cdm\protected\out\Release\widevinecdm.dll.pdb source: widevinecdm.dll.0.dr

Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.0.dr	Static PE information: section name: .00cfg
Source: widevinecdm.dll.0.dr	Static PE information: section name: .gxfg
Source: widevinecdm.dll.0.dr	Static PE information: section name: .retplne
Source: widevinecdm.dll.0.dr	Static PE information: section name: .rodata
Source: widevinecdm.dll.0.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.0.dr	Static PE information: section name: malloc_h

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\Google.Widevine.CDM.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\Google.Widevine.CDM.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\LICENSE.txt

Jump to behavior

Source: chromecache_211.2.dr, chromecache_193.2.dr	Binary or memory string: "}};(0,i.fF)(n,t)}function O(e,t){void 0===e&&(e="");var n={style:{MozOsxFontSmoothing:"grayscale",WebkitFontSmoothing:"antialiased",fontStyle:"normal",fontWeight:"normal",speak:"none"},fontFace:{fontFamily:'"FabricMDL2Icons-21"',src:"url('".concat(e,"odsp-next-icons-21-f9e5f519.woff') format('woff')")},icons:{DisconnectVirtualMachine:"
Source: chromecache_222.2.dr, chromecache_211.2.dr, chromecache_197.2.dr, chromecache_193.2.dr	Binary or memory string: ",ConnectVirtualMachine:"
Source: chromecache_222.2.dr, chromecache_197.2.dr	Binary or memory string: ",DisconnectVirtualMachine:"

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/AllItems.htm

HTTP Parser: file:///C:/Users/user/Desktop/AllItems.htm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\Google.Widevine.CDM.dll	0%	ReversingLabs
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://login.microsoftonline.de	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dual-spo-0005.spo-msedge.net	13.107.136.10	true	false	high
s-part-0036.t-0009.t-msedge.net	13.107.246.64	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
sni1gl.wpc.omegacdn.net	152.199.21.175	true	false	high
www.google.com	172.217.18.4	true	false	high
trwd.sharepoint.com	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high
m365cdn.nel.measure.office.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wieistmeineip.de	sets.json.0.dr	false		high
https://mercadoshops.com.co	sets.json.0.dr	false		high
https://gliadomain.com	sets.json.0.dr	false		high
https://poalim.xyz	sets.json.0.dr	false		high
https://mercadolivre.com	sets.json.0.dr	false		high
https://easylist.to/)	LICENSE.txt.0.dr	false		high
https://reshim.org	sets.json.0.dr	false		high
https://nourishingpursuits.com	sets.json.0.dr	false		high
https://medonet.pl	sets.json.0.dr	false		high
https://unotv.com	sets.json.0.dr	false		high
https://mercadoshops.com.br	sets.json.0.dr	false		high
https://joyreactor.cc	sets.json.0.dr	false		high
https://zdrowietvn.pl	sets.json.0.dr	false		high
https://johndeere.com	sets.json.0.dr	false		high
https://login.microsoftonline.us	chromecache_240.2.dr, chromecache_229.2.dr	false		high
https://songstats.com	sets.json.0.dr	false		high
https://baomoi.com	sets.json.0.dr	false		high
https://supereva.it	sets.json.0.dr	false		high
http://www.opensource.org/licenses/mit-license.php	chromecache_238.2.dr	false		high
https://elfinancierocr.com	sets.json.0.dr	false		high
https://bolasport.com	sets.json.0.dr	false		high
https://rws1nvtvt.com	sets.json.0.dr	false		high
https://desimartini.com	sets.json.0.dr	false		high
https://hearty.app	sets.json.0.dr	false		high
https://northcentralus1-medias.svc.ms	chromecache_248.2.dr, chromecache_187.2.dr	false		high
https://hearty.gift	sets.json.0.dr	false		high
https://mercadoshops.com	sets.json.0.dr	false		high
https://heartymail.com	sets.json.0.dr	false		high
https://nlc.hu	sets.json.0.dr	false		high
https://onedrive.live.com/?gologin=1	AllItems.htm	false		high
https://p106.net	sets.json.0.dr	false		high
https://radio2.be	sets.json.0.dr	false		high
https://finn.no	sets.json.0.dr	false		high
https://hc1.com	sets.json.0.dr	false		high
https://kompas.tv	sets.json.0.dr	false		high
https://mystudentdashboard.com	sets.json.0.dr	false		high
https://login.microsoftonline.de	chromecache_240.2.dr, chromecache_229.2.dr	false	Avira URL Cloud: phishing	unknown
https://songshare.com	sets.json.0.dr	false		high
https://smaker.pl	sets.json.0.dr	false		high
https://mercadopago.com.mx	sets.json.0.dr	false		high
https://p24.hu	sets.json.0.dr	false		high
https://talkdeskqaid.com	sets.json.0.dr	false		high
https://24.hu	sets.json.0.dr	false		high
https://mercadopago.com.pe	sets.json.0.dr	false		high
https://cardsayings.net	sets.json.0.dr	false		high
https://text.com	sets.json.0.dr	false		high
https://mightytext.net	sets.json.0.dr	false		high
https://pudelek.pl	sets.json.0.dr	false		high
https://hazipatika.com	sets.json.0.dr	false		high
https://joyreactor.com	sets.json.0.dr	false		high
https://cookreactor.com	sets.json.0.dr	false		high
https://wildixin.com	sets.json.0.dr	false		high
https://eworkbookcloud.com	sets.json.0.dr	false		high
https://cognitiveai.ru	sets.json.0.dr	false		high
https://nacion.com	sets.json.0.dr	false		high
https://chennien.com	sets.json.0.dr	false		high
https://drimer.travel	sets.json.0.dr	false		high
https://trwd.sharepoint.com/sites/trwdsecresponseteam/_layouts/15/DocIdRedir.aspx?ID=NAH345HN3FVM-78	AllItems.htm	false		high
https://deccoria.pl	sets.json.0.dr	false		high
https://mercadopago.cl	sets.json.0.dr	false		high
https://talkdeskstgid.com	sets.json.0.dr	false		high
https://naukri.com	sets.json.0.dr	false		high
https://interia.pl	sets.json.0.dr	false		high
https://bonvivir.com	sets.json.0.dr	false		high
https://carcostadvisor.be	sets.json.0.dr	false		high
https://salemovetravel.com	sets.json.0.dr	false		high
https://sapo.io	sets.json.0.dr	false		high
https://wpext.pl	sets.json.0.dr	false		high
https://welt.de	sets.json.0.dr	false		high
https://poalim.site	sets.json.0.dr	false		high
https://drimer.io	sets.json.0.dr	false		high
https://infoedgeindia.com	sets.json.0.dr	false		high
https://blackrockadvisorelite.it	sets.json.0.dr	false		high
https://cognitive-ai.ru	sets.json.0.dr	false		high
https://cafemedia.com	sets.json.0.dr	false		high
https://graziadaily.co.uk	sets.json.0.dr	false		high
https://thirdspace.org.au	sets.json.0.dr	false		high
https://mercadoshops.com.ar	sets.json.0.dr	false		high
https://smpn106jkt.sch.id	sets.json.0.dr	false		high
https://elpais.uy	sets.json.0.dr	false		high
https://landyrev.com	sets.json.0.dr	false		high
https://the42.ie	sets.json.0.dr	false		high
https://commentcamarche.com	sets.json.0.dr	false		high
https://tucarro.com.ve	sets.json.0.dr	false		high
https://rws3nvtvt.com	sets.json.0.dr	false		high
https://eleconomista.net	sets.json.0.dr	false		high
https://helpdesk.com	sets.json.0.dr	false		high
https://mercadolivre.com.br	sets.json.0.dr	false		high
https://clmbtech.com	sets.json.0.dr	false		high
https://login.chinacloudapi.cn	chromecache_240.2.dr, chromecache_229.2.dr	false		high
https://standardsandpraiserepurpose.com	sets.json.0.dr	false		high
https://07c225f3.online	sets.json.0.dr	false		high
https://login.windows-ppe.net	chromecache_240.2.dr, chromecache_229.2.dr	false		high
https://salemovefinancial.com	sets.json.0.dr	false		high
https://mercadopago.com.br	sets.json.0.dr	false		high
https://zoom.us	sets.json.0.dr	false		high
https://commentcamarche.net	sets.json.0.dr	false		high
https://etfacademy.it	sets.json.0.dr	false		high
https://mighty-app.appspot.com	sets.json.0.dr	false		high
https://hj.rs	sets.json.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.136.10	dual-spo-0005.spo-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584962
Start date and time:	2025-01-06 20:57:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AllItems.htm
Detection:	MAL
Classification:	mal72.phis.winHTM@30/186@22/5
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.227.203, 2.23.227.209, 142.250.185.67, 142.250.185.206, 74.125.71.84, 104.102.55.235, 142.250.185.110, 2.23.209.37, 2.23.209.42, 142.250.181.238, 2.19.126.143, 2.19.126.146, 142.250.186.46, 199.232.214.172, 192.229.221.95, 172.217.16.206, 40.126.32.138, 40.126.32.134, 40.126.32.76, 20.190.160.22, 20.190.160.20, 20.190.160.17, 40.126.32.136, 40.126.32.74, 20.190.159.75, 20.190.159.23, 20.190.159.0, 40.126.31.69, 20.190.159.64, 20.190.159.73, 20.190.159.71, 40.126.31.67, 40.79.189.59, 20.50.73.10, 142.250.185.170, 172.217.18.10, 142.250.186.138, 142.250.184.202, 172.217.16.202, 216.58.212.138, 142.250.185.138, 142.250.184.234, 142.250.185.74, 216.58.206.74, 142.250.186.74, 172.217.16.138, 142.250.186.42, 172.217.23.106, 142.250.185.106, 142.250.186.106, 20.189.173.25, 216.58.212.170, 142.250.74.202, 142.250.185.202, 142.250.184.206, 40.79.150.121, 142.250.185.238, 142.250.184.227, 142.250.186.174, 142.250.185.174, 34.104.35.123, 2.16.238.152, 2.16.238.149, 95.101.5
Excluded domains from analysis (whitelisted): 193287-ipv4v6e.farm.dprodmgd105.sharepointonline.com.akadns.net, slscr.update.microsoft.com, e40491.dscd.akamaiedge.net, res-1.cdn.office.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, a1894.dscb.akamai.net, ak.privatelink.msidentity.com, mobile.events.data.microsoft.com, res-prod.cdn.office.net.akadns.net, onedscolprdfrc05.francecentral.cloudapp.azure.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, onedscolprdjpe05.japaneast.cloudapp.azure.com, shell.cdn.office.net, update.googleapis.com, login.mso.msidentity.com, res-1.cdn.office.net-c.edgekey.net.globalredir.akadns.net, optimizationguide-pa.googleapis.com, clients1.google.com, www.tm.ak.prd.aadg.trafficmanager.net, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, aadcdnoriginwus2.azureedge.net, www.tm.ak.prd.aadg.akadns.net, onedscolprdneu04.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e19254.dscg.akamaied
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: AllItems.htm

Input	Output
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a SharePoint page context object, which is commonly used for client-side rendering and interaction with SharePoint sites. While it contains some potentially sensitive information like user details and site configuration, there are no clear indicators of malicious behavior or data exfiltration. The script seems to be part of legitimate SharePoint functionality and does not exhibit any high-risk behaviors." }
// (function(global){ var correlationId="1af574a1-0098-7000-5f0e-6698c90c2515", handleFailure=function(errorInformation) { console.error(errorInformation.message);},spClientSidePageContext=JSON.parse('{"user" : {"@odata.context":"https://trwd.sharepoint.com/sites/trwdsecresponseteam/_api/$metadata#Users/$entity","@odata.type":"#SP.User","@odata.id":"https://trwd.sharepoint.com/_api/Web/GetUserById(54)","@odata.editLink":"Web/GetUserById(54)","Id":54,"IsHiddenInUI":false,"LoginName":"i:0#.f\|membership\|mike.tocher@trwd.com","Title":"Mike Tocher","PrincipalType":1,"Email":"Mike.Tocher@trwd.com","Expiration":"","IsEmailAuthenticationGuestUser":false,"IsShareByEmailGuestUser":false,"IsSiteAdmin":false,"UserId":{"NameId":"10032003dad25cfe","NameIdIssuer":"urn:federation:microsoftonline"},"UserPrincipalName":"mike.tocher@trwd.com"},"isUserVoiceEnabled" : true,"templateFolderName" : "Templates","moderationEnabled" : false,"draftVersionVisibility" : 0,"clientSideApplicationId" : "b1ab4aaa-f779-405c-8683-d3a750b5d18d","contextWebInfo" : {\r"_ObjectType_":"SP.ContextWebInformation","FormDigestTimeoutSeconds":0,"FormDigestValue":null,"LibraryVersion":"16.0.25520.12010","SiteFullUrl":"https:\\u002f\\u002ftrwd.sharepoint.com\\u002fsites\\u002ftrwdsecresponseteam","SupportedSchemaVersions":[\r"14.0.0.0","15.0.0.0"\r],"WebFullUrl":"https:\\u002f\\u002ftrwd.sharepoint.com\\u002fsites\\u002ftrwdsecresponseteam"\r},"customActions" : [],"spPageContextInfo" : {"ListCountLimit":0,"FieldCountLimit":0,"ClientPrefetchBehavior":0,"IsConsumerListsPaidUser":false,"IsConsumerFilesPaidUser":false,"siteDisabled":false,"isCommonDomainRequestContext":false,"webServerRelativeUrl":"/sites/trwdsecresponseteam","webServerRelativeUrlLegacy":"","webAbsoluteUrl":"https://trwd.sharepoint.com/sites/trwdsecresponseteam","webAbsoluteUrlLegacy":"","viewId":"{ecd94184-a7a6-4ab0-814b-4cd9a68d49d8}","webPropertyFlags2":16384,"listId":"{48550973-4720-4352-8fc4-a0807a818256}","listTemplateId":"","listPermsMask":{"High":432,"Low":1011030767},"listUrl":"/sites/trwdsecresponseteam/Shared Documents","listUrlLegacy":"","listTitle":"Documents","listBaseTemplate":101,"listBaseType":1,"listForceCheckout":false,"draftVersionVisibilityType":0,"thirdPartyReplyUrisUpdated":false,"ariaCollectorUrl":"https://browser.pipe.aria.microsoft.com/Collector/3.0/","secureBrokerDomainName":"securebroker.sharepointonline.com","oneDsCollectorUrl":"https://mobile.events.data.microsoft.com/OneCollector/1.0/","driveInfo":{},"vanityUrls":{},"multiGeoInfo":[{"InstanceId":"20c79a75-c89c-4bc6-aa94-13f856925200","DataLocation":"","IsDefaultDataLocation":false,"RootSiteUrl":"https://trwd.sharepoint.com/","MySiteHostUrl":"https://trwd-my.sharepoint.com/","TenantAdminUrl":"https://trwd-admin.sharepoint.com/","PortalUrl":"https://trwd.sharepoint.com/","AdditionalUrls":[]}],"viewOnlyExperienceEnabled":false,"m365GroupsBlockDownloadsExperienceEnabled":false,"readOnlyExperienceEnabled":false,"blockDownloadFileTypePolicyEnabled":false,"authContextLimitedAccessExperienceEnabled":false,"disableBackToClassic":false,"isOAuth":false,"isLocationserviceAvailable":true,"blockDownloadsExperienceEnabled":false,"idleSessionSignOutEnabled":false,"activityBasedTimeoutEnabled":false,"isSmallMediumBizOverQuotaTenant":false,"isFraudTenant":false,"fraudTenantSubscriptionType":"","isTenantOverQuota":null,"fraudTenantAccessRevokeTime":"0001-01-22T00:00:00","e5DevOverQuotaTenantAccessBlockTime":"0001-01-01T00:00:00","e5DevOverQuotaTenantAccessDeactivationTime":"0001-01-01T00:00:00","cdnPrefix":"res-1.cdn.office.net/bld","cdnBaseUrl":null,"routingKey":null,"siteAbsoluteUrl":"https://trwd.sharepoint.com/sites/trwdsecresponseteam","siteAbsoluteUrlLegacy":"","siteId":"{79213adf-942e-4f29-9148-759f617d4c4a}","showNGSCDialogForSyncOnTS":true,"supportPoundStorePath":true,"supportPercentStorePath":true,"siteSubscriptionId":"c9de0af1-361b-42ae-ace3-ab4cea6cb8dc","tenantDisplayName":"trwd.com","isMultiGe
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be a configuration object for a SharePoint site, containing various properties and settings related to the site's context, permissions, and user information. There are no obvious high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The script seems to be focused on providing contextual information for the SharePoint site and does not demonstrate any malicious behavior. Therefore, the risk score is assessed as low." }
var _spPageContextInfo={"ListCountLimit":0,"FieldCountLimit":0,"ClientPrefetchBehavior":0,"IsConsumerListsPaidUser":false,"IsConsumerFilesPaidUser":false,"siteDisabled":false,"isCommonDomainRequestContext":false,"webServerRelativeUrl":"/sites/trwdsecresponseteam","webServerRelativeUrlLegacy":"","webAbsoluteUrl":"https://trwd.sharepoint.com/sites/trwdsecresponseteam","webAbsoluteUrlLegacy":"","viewId":"{ecd94184-a7a6-4ab0-814b-4cd9a68d49d8}","webPropertyFlags2":16384,"listId":"{48550973-4720-4352-8fc4-a0807a818256}","listTemplateId":"","listPermsMask":{"High":432,"Low":1011030767},"listUrl":"/sites/trwdsecresponseteam/Shared Documents","listUrlLegacy":"","listTitle":"Documents","listBaseTemplate":101,"listBaseType":1,"listForceCheckout":false,"draftVersionVisibilityType":0,"thirdPartyReplyUrisUpdated":false,"ariaCollectorUrl":"https://browser.pipe.aria.microsoft.com/Collector/3.0/","secureBrokerDomainName":"securebroker.sharepointonline.com","oneDsCollectorUrl":"https://mobile.events.data.microsoft.com/OneCollector/1.0/","driveInfo":{},"vanityUrls":{},"multiGeoInfo":[{"InstanceId":"20c79a75-c89c-4bc6-aa94-13f856925200","DataLocation":"","IsDefaultDataLocation":false,"RootSiteUrl":"https://trwd.sharepoint.com/","MySiteHostUrl":"https://trwd-my.sharepoint.com/","TenantAdminUrl":"https://trwd-admin.sharepoint.com/","PortalUrl":"https://trwd.sharepoint.com/","AdditionalUrls":[]}],"viewOnlyExperienceEnabled":false,"m365GroupsBlockDownloadsExperienceEnabled":false,"readOnlyExperienceEnabled":false,"blockDownloadFileTypePolicyEnabled":false,"authContextLimitedAccessExperienceEnabled":false,"disableBackToClassic":false,"isOAuth":false,"isLocationserviceAvailable":true,"blockDownloadsExperienceEnabled":false,"idleSessionSignOutEnabled":false,"activityBasedTimeoutEnabled":false,"isSmallMediumBizOverQuotaTenant":false,"isFraudTenant":false,"fraudTenantSubscriptionType":"","isTenantOverQuota":null,"fraudTenantAccessRevokeTime":"0001-01-22T00:00:00","e5DevOverQuotaTenantAccessBlockTime":"0001-01-01T00:00:00","e5DevOverQuotaTenantAccessDeactivationTime":"0001-01-01T00:00:00","cdnPrefix":"res-1.cdn.office.net/bld","cdnBaseUrl":null,"routingKey":null,"siteAbsoluteUrl":"https://trwd.sharepoint.com/sites/trwdsecresponseteam","siteAbsoluteUrlLegacy":"","siteId":"{79213adf-942e-4f29-9148-759f617d4c4a}","showNGSCDialogForSyncOnTS":true,"supportPoundStorePath":true,"supportPercentStorePath":true,"siteSubscriptionId":"c9de0af1-361b-42ae-ace3-ab4cea6cb8dc","tenantDisplayName":"trwd.com","isMultiGeoTenant":false,"isMultiGeoODBMode":false,"webDomain":"sharepoint.com","isSPO":true,"appSeatsQuota":405.0,"isSelfServiceSiteCreationEnabled":false,"farmLabel":"US_204_Content","farmName":"US_204_PHX10_193287_Content","contentDBName":"Content_527727_105","serverRequestPath":"/sites/trwdsecresponseteam/Shared Documents/Forms/AllItems.aspx","layoutsUrl":"_layouts/15","webId":"{895bfbc9-ba37-4998-bb29-ceb3d2bd21da}","webTitle":"Cybersecurity Incident Response","WebTitleCurrentLCID":0,"webTemplate":"64","webTemplateConfiguration":"GROUP#0","webDescription":"This team facilitates the coordination of efforts to respond to and mitigate security vulnerabilities or active incidents.","WebDescriptionCurrentLCID":0,"tenantAppVersion":"1","isAppWeb":false,"webLogoUrl":"/sites/trwdsecresponseteam/_api/GroupService/GetGroupImage?id=\u0027a158810f-c89e-4ca2-bcb7-590db7e7d1a3\u0027\u0026hash=637707845118955968","webLanguage":1033,"webLanguageName":"en-US","currentLanguage":1033,"currentUICultureName":"en-US","currentCultureName":"en-US","currentCultureLCID":1033,"env":"prod","env2":"prod","cloudType":"prod","nid":16018,"fid":193287,"serverTime":"2025-01-06T19:43:30.7510748Z","siteClientTag":"0$$16.0.25520.12010","crossDomainPhotosEnabled":true,"openInClient":false,"webUIVersion":15,"webPermMasks":{"High":432,"Low":1011030767},"pageListId":"{48550973-4720-4352-8fc4-a0807a818256}","pageItemId":-1,"pagePermsMask":null,"pagePersonalizationScope":1,"userEmail":"Mike.Tocher@trwd.com",
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be a performance measurement utility, which is a common and legitimate practice. It uses the `window.performance.now()` or `Date.now()` methods to record timestamps for various performance stages, and optionally calls `window.performance.mark()` to create performance marks. This functionality does not exhibit any high-risk indicators and is likely part of a larger application's performance monitoring system." }
if(!spfxPerfMarks){var spfxPerfMarks = {};} var markPerfStage=function(key) {if(window.performance && typeof window.performance.now === 'function'){spfxPerfMarks[key]=window.performance.now();} else{spfxPerfMarks[key]=Date.now();} if (window.performance && typeof window.performance.mark === 'function') {window.performance.mark(key);}};
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be a fallback mechanism for loading a critical script for the Office 365 suite navigation. It listens for the 'load' and 'error' events on the 'SuiteNavShellCore' element, and if an error occurs, it dynamically creates a new script element and appends it to the document head. This behavior is likely a legitimate part of the Office 365 application and does not demonstrate any high-risk indicators. The script is interacting with known, trusted domains (e.g., 'shell.cdn.office.net'), and the overall behavior is consistent with typical application functionality." }
window.document.getElementById('SuiteNavShellCore').addEventListener('load', function() { (typeof markPerfStage === 'function' && markPerfStage('suiteNavScriptAsyncEnd')); if (window.executeSuiteNavOnce) { window.executeSuiteNavOnce() } window.shellCoreLoaded = true; });window.document.getElementById('SuiteNavShellCore').addEventListener('error', function() { var scriptElem = document.getElementById('SuiteNavShellCore'); scriptElem.parentNode.removeChild(scriptElem); var newScript = document.createElement('script'); newScript.setAttribute('type', 'text/javascript'); newScript.setAttribute('id', 'SuiteNavShellCore'); newScript.setAttribute('src', 'https://shell.cdn.office.net/api/ShellBootstrapper/business/OneShell'); newScript.setAttribute('crossorigin', 'anonymous'); newScript.async = true; newScript.addEventListener('load', function() { (typeof markPerfStage === 'function' && markPerfStage('suiteNavScriptAsyncEnd')); if (window.executeSuiteNavOnce) { window.executeSuiteNavOnce() } window.shellCoreLoaded = true; }); newScript.addEventListener('error', function() { window.o365ShellScriptLoadError = arguments[0]; (typeof markPerfStage === 'function' && markPerfStage('suiteNavScriptError')); if (window.executeSuiteNavOnce) { window.executeSuiteNavOnce() } window.shellCoreLoadError = true; }); document.head.appendChild(newScript); });
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a configuration object for the Fabric framework, which is a Microsoft-developed UI library. It does not contain any high-risk indicators like dynamic code execution, data exfiltration, or malicious redirects. The script primarily sets up configuration variables and includes some SRI (Subresource Integrity) hashes, which are used for verifying the integrity of external resources. While the script uses some legacy APIs like `XDomainRequest`, these pose minor risks and are not inherently malicious. Overall, the script seems to be part of a legitimate web application and does not exhibit any suspicious behavior." }
var g_responseEnd = new Date().getTime();window.performance && performance.mark('EUPL.W3CResponseEnd');window['FabricConfig'] = { fontBaseUrl: ''};window['__odsp_culture'] = 'en-us';window['__odspSriHashes'] = {"0":"sha256-VMwr0YOO7PLF8xJ+nA9JYkWs45sZpe1vTnzDaRAWyz0=","1":"sha256-JClbcvMa8qwvGmgYVp9AT1RzKYns5UQp4s3JqlsJBxw=","2":"sha256-Kyco/DmXedlIohdFf6ML1l62Ttepdis2Z5XXRKhwMOA=","3":"sha256-eFp1vFunfGFlMmKIN34YNaRusYWRL1SiaJhWf9uivHU=","4":"sha256-2vWIp7aP9NGQiBrMsO3j3wSc+cxT4wbF3jhGkt2nDs4=","5":"sha256-wCJIZYBFtImmLb05uvpYELaXybwrhpv78vazHp5Gfsc=","6":"sha256-37P/DyEUuxrvUpbcZGxiQiUAZlWGtyf1bNjiUSHkoUE=","7":"sha256-4rj/q2L3TIXtC2KsWZ50xW+raLxB5RUgGsnvkpwMpgQ=","8":"sha256-gy20r3mtjYnOZisXfSnJxqCTBbxXuG674VnnK4o5mtY=","9":"sha256-hiiCFiyrjEwXwqICiAPZMLe68dYQ0C7V6XUTCX84Uoc=","10":"sha256-t95DBXh2fE9NeoZfZANZx5ZCCkZh5bYaSp/I5xplDao=","11":"sha256-SeiqZtQSu5r91vVHKGcBoLo8VWgl6ts+WS4PZ07rpYQ=","12":"sha256-zWJp1WjpeHd8aemvncfd82kxl/82tFFPKqBVPAefEZg=","13":"sha256-PjvtaAjiu71t9So7i2+8bZiqu51+Mf7scbc9WRgquQc=","14":"sha256-aMpJ9Xsj8G97qdWbu4IQYI1NdHHwrGiTi61DgO/92Sk=","15":"sha256-ItNKrHW2G88NJE5xt5MdjLZii0KFey87S9W2kX8GaOs=","16":"sha256-vkyK2J8vSEjGIL6yhiZicyzDo+f3sSym8esc7emhn0I=","17":"sha256-W+336/FhnBZxNaHuguVjQBS+M8I4CfuUFIYQouOqQbU=","18":"sha256-Ff4EdOrhbnfySkF+S89zpDOOqDuxh86+tsA6mqoW20I=","19":"sha256-I1oYYpy4Q1HthISdICiL2SBgTLbsC7rQjKYInDzQBBQ=","20":"sha256-iL/2p4lkFW1bJ8BZ9HODRj0MVjWtA7YT1O1mIx3FNrA=","21":"sha256-0imh24rrcETnn8qGEmNfIwvx3N0DR1mRBW/UvokaJI4=","22":"sha256-SA5A7fAFBKLTam4brBTFvXlHIo4+QGIcUtZN+BIYBT8=","23":"sha256-qdmv89NaDipMf+e0/uhRMxur0QO8icn2KCEP9aK7R4c=","24":"sha256-bl62KQas6BEkBAdE/+Zww+ysw0+s9Ixra5fzu4alugY=","25":"sha256-CN0fzCjhZQuuE9vJnHo4KKMhL4Ep2RFJQzz86rISNvg=","26":"sha256-jjixr2hO42UNdTST3a+kB/7mBGyeJwedGXTmq2Vum6Y=","27":"sha256-fH8FecjMnV18p83jfqmKye7MJbj66+AOCGDPf1fkSAs=","28":"sha256-+IhAWmf/dDqeRHFF4i1CuGUyO1v/tfmbFdIaRnTO0gc=","29":"sha256-vavDhHWd7W/WR6Gmitck0FLYt4eMn3VXgFuHfL9I/60=","30":"sha256-B8uIyMUzHqWhYwmeBkqLnBQI/obPCHIzSqmUOaonOh4=","31":"sha256-LVqUIwp/56K8Xf5lgruW+xDfGXt3YICUeyhLR6Hd8+Y=","32":"sha256-1BSzP/8xja1rXWO/mZQeeeYJoNnoiVeXGHqMNYVyjQU=","33":"sha256-4xvqkqQ42+Vde7ACtapj8kaGfyLr+RL0Xu0opnofJn0=","34":"sha256-I0iQkfG0Z2cek9cCGmLSH9IzHUvyIiGVJ7vEGevxC1U=","35":"sha256-a/kZY1nvl6ZeyzM+4U9y+nacaiPHPduzdLzyBoMZK44=","36":"sha256-88iPIChI4+yyyQiXMXRjXmSlWs0re/99WmoNCJWRGoU=","37":"sha256-2V5DDnGweDmGW8mohihtgOk1xoCa3sabUuSk2Z3C9g4=","38":"sha256-aHPQjK81Lr/a1PgKyFcDoryEptXOdNitoBaZvFNqivY=","39":"sha256-+sPQnkb6lXpreg5vfhkX0ayDDYGdy1R5tAWstsQTgfo=","40":"sha256-RD6n3s+PPGlQDIPX+oK7q6Ot2QKv9BN+VVKL7YJAFVM=","41":"sha256-IMk8yQqduMklZS3s1ofsXJx2KPLfx78G54iNGL93zlM=","42":"sha256-Lz6CacBdEYzbKSnr1HCvqNBHHSnPCds/pd6mW4LBHUo=","43":"sha256-Oh/xpwhNvpxJURj7rTX6HeGLY9tRVJ9/aERINiue/ZY=","44":"sha256-EPb5TKYlwFGCvdN3L72rnC4aDikej8O4WIpQZy6vaUE=","45":"sha256-6K0kxJHHyu1in0U+jwHbEQ6swGE9xPnEdW2Dh6T4lNw=","46":"sha256-DSQ6i7DL6kwrh4wgStC/+gL8suY5kcMnWxq10YQkDII=","47":"sha256-5M0K1dl8Qf+e8qrq2vJwL0N21fgOfCn5HxIMGyDiNgU=","48":"sha256-fyYdcl4z8xRPXooLzh5v6Zl881iRXdeu0+880u0JiHc=","49":"sha256-+J8+lXMpSBbiqvg9D6cglvNV3LAe0gX2hzKKPkM88Kk=","50":"sha256-yx8u3kJheSv6k4xB5Iz8gFEeqS1atGgDsrOtIAffENU=","51":"sha256-uT0Tmv9hSk4udQ7L8qRrsH9M8Zi7BWfmwL7ekcBfkco=","52":"sha256-+aAW7xLYDLgGqd2/r0FDtYPSN6dr7GBW1FMiK5fj484=","53":"sha256-NLcrJSvCeCCL1/jvQlxXex371dDQxWHGV4IIb8oR4rk=","54":"sha256-YiYAat6WBoXGaPVGdm7r5oFaWLlqe2Kr3NDzyCUfKg4=","55":"sha256-VDkvMQCaYvCPUNsVaKqP7ocSOiT2rVnw/T5cfY+Eabg=","56":"sha256-EZvJuaXER2Y4FaOpm4k4uhhpiIB0Z4tQxRH4s3bxyEc=","57":"sha256-Y8iASJQV54TJQFy7OySvJWQbEU93cSdziQaJShhbz+Y=","58":"sha256-0i+gOlqIpgl7qSRS3/Q7wzKL4+v0izRw4SkjnANuWrc=","59":"sha256-9ekGo63aSFlwGMUDVRd++nRhCoW4aMmD/Ix3au5WcoM=","60":"sha256-TWclcI7xUfrVaNRA0JMkscxJ3ZyblKPnhA0BqIudw9c=","61":"sha256-MRWX15G0yBo/uPmnLH/wmJo7hjoakjklt4kTMJbkLDw=","62":"sha256-NLYKAijPWbkxa7OuOuG1FCWdIht6JtKS3IBVJ8mHrn8=","63":"sha256-3StmDhCmQivVrn3s40aZnvhk24zPbSpHuFupUCRVfCE=","64":"sha256-8LW6dWquLEXL
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a legitimate SharePoint-related code snippet, with no clear indicators of malicious intent. While it includes some behaviors that could be considered risky, such as dynamic data loading and the use of legacy APIs, the overall context suggests this is likely a benign script used for SharePoint functionality. The risk score is on the lower end, as the behaviors are not inherently malicious and the script seems to be operating within a trusted SharePoint environment." }
var g_deferDataLoadTime = new Date().getTime();var g_payload = {"parameters":{"__metadata":{"type":"SP.RenderListDataParameters"},"RenderOptions":33019655,"AllowMultipleValueFilterForTaxonomyFields":true, "AddRequiredFields":true, "RequireFolderColoringFields": true}}; var g_listData = {"wpq":"","Templates":{},"ListData":{ "Row" : [{ "ContentTypeId": "0x01010088AB982F0A688043AD3318A50537A87B00214CFA129FFD0B4D9E442750C3627B5D", "_ModerationComments": "", "FileLeafRef": "QuarantineMessage-3.zip", "Modified_x0020_By": "i:0#.f\|membership\|josh.ford@trwd.com", "Created_x0020_By": "i:0#.f\|membership\|josh.ford@trwd.com", "File_x0020_Type": "zip", "File_x0020_Type.mapapp": "", "HTML_x0020_File_x0020_Type.File_x0020_Type.mapcon": "", "HTML_x0020_File_x0020_Type.File_x0020_Type.mapico": "iczip.gif", "serverurl.progid": "", "ServerRedirectedEmbedUrl": "", "File_x0020_Type.progid": "", "File_x0020_Type.url": "FALSE", "HTML_x0020_File_x0020_Type": "", "_SourceUrl": "", "_SharedFileIndex": "", "SelectFilename": "37", "ComplianceAssetId": "", "Title": "", "TemplateUrl": "", "xd_ProgID": "", "xd_Signature": "", "xd_Signature.value": "", "_ShortcutUrl": "", "_ShortcutUrl.desc": "", "_ShortcutSiteId": "", "_ShortcutWebId": "", "_ShortcutUniqueId": "", "Modified": "1\u002f6\u002f2025 10:58 AM", "Modified.": "2025-01-06T16:58:20Z", "Modified.FriendlyDisplay": "1\|0\|6\|3", "MediaServiceMetadata": "", "MediaServiceFastMetadata": "", "_ExtendedDescription": "", "TriggerFlowInfo": "", "_dlc_DocId": "NAH345HN3FVM-780264056-37", "_dlc_DocIdUrl": "\u002fsites\u002ftrwdsecresponseteam\u002f_layouts\u002f15\u002fDocIdRedir.aspx?ID=NAH345HN3FVM-780264056-37", "_dlc_DocIdUrl.desc": "NAH345HN3FVM-780264056-37", "_dlc_DocIdPersistId": "", "_dlc_DocIdPersistId.value": "", "TRWDDocumentClassification": "", "lb9c5a90d5cd427480df8ce388ec15fa": "", "TaxCatchAll": [], "RecordDate": "", "RecordDate.": "", "RecordDate.FriendlyDisplay": "", "DEPT": [], "p31a872dc219433685f3c0b1388ca7bb": "", "BondFunded": "No", "BondFunded.value": "0", "MaximoLocation": [], "o51d6badd0e04ad8ac7ab04601a745a8": "", "ProjectID": [], "p1828e96ea854ee69bcc6b9a21812200": "", "Notes1": "", "TaxCatchAllLabel": [], "ImageCreateDate": "", "ImageCreateDate.": "", "ImageCreateDate.FriendlyDisplay": "", "Keywords": "", "ImageWidth": "", "ImageWidth.": "", "ImageHeight": "", "ImageHeight.": "", "Comments": "", "AlternateThumbnailUrl": "", "AlternateThumbnailUrl.desc": "", "PreviewExists": "", "PreviewExists.value": "", "ThumbnailExists": "", "ThumbnailExists.value": "", "FileType": "zip", "ImageSize": "", "EncodedAbsThumbnailUrl": "\u002f_layouts\u002fimages\u002ficzip.gif", "SelectedFlag": "0", "EncodedAbsWebImgUrl": "\u002f_layouts\u002fimages\u002ficzip.gif", "RequiredField": "sites\u002ftrwdsecresponseteam\u002fShared Documents\u002fGeneral\u002fQuarantineMessage-3.zip", "NameOrTitle": "QuarantineMessage-3.zip", "Preview": "", "Thumbnail": "", "PreviewOnForm": "0", "Asset_x0020_Numbers": [], "k262fb9e911d48bfa9931df25f4f3939": "", "TRWDDeclareRecord": "No", "MediaServiceAutoTags": "", "MediaServiceOCR": "", "MediaServiceGenerationTime": "", "MediaServiceEventHashCode": "", "TRWDHasOriginalDocDate": "No", "TRWDHasOriginalDocDate.calculated": "string;#No", "_ColorHex": "", "_ColorTag": "", "_Emoji": "", "_EffectiveIpLabelDisplayName": "0", "MediaServiceSearchProperties": "", "MediaServiceObjectDetectorVersions": "", "ID": "37", "ContentType": "Default Metadata", "WelcomeViewId": "", "WelcomePageCustomized": "", "Created": "1\u002f6\u002f2025 10:58 AM", "Created.": "2025-01-06T16:58:18Z", "Created.FriendlyDisplay": "1\|0\|6\|3", "Author": [{"id":"46","title":"Josh Ford","email":"Josh@trwd.com","sip":"josh.ford@trwd.com","picture":"https:\u002f\u002ftrwd-my.sharepoint.com:443\u002fUser%20Photos\u002fProfile%20Pictures\u002f0c6fb8cc-3c4c-4a0d-9bd5-beeeb062a7d3_MThumb.jpg?t=63850118757","department":"Information Services - 34","jobTitle":"Microsoft 365 Engineer"}], "Editor": [{"id":"46","title":"Josh Ford",
URL: file:///C:/Users/user/Desktop/AllItems.htm... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of the Office 365 Shell, which is a common component used in Microsoft's web applications. The script sets up several Promise objects to handle the loading, rendering, and post-rendering of the suite navigation UI. It also configures various settings and parameters related to the Shell's behavior, such as the theme, search functionality, and authentication provider. While the script uses some dynamic techniques like `Promise` and `window` object manipulation, these are common practices in modern web development and do not appear to be indicative of malicious intent. The script's purpose and interactions are consistent with typical Office 365 functionality, and there are no clear high-risk indicators observed. Therefore, the overall risk score is assessed as low." }
window.o365ShellLoadPromiseResolve = undefined; window.o365ShellLoadPromiseReject = undefined; window.o365ShellRenderPromiseResolve = undefined; window.o365ShellRenderPromiseReject = undefined; window.o365ShellPostRenderPromiseResolve = undefined; window.o365ShellPostRenderPromiseReject = undefined; window.o365ShellLoadPromise = new Promise(function (loadResolve, loadReject) { window.o365ShellLoadPromiseResolve = loadResolve, window.o365ShellLoadPromiseReject = loadReject }); window.o365ShellRenderPromise = new Promise(function (renderResolve, renderReject) { window.o365ShellRenderPromiseResolve = renderResolve, window.o365ShellRenderPromiseReject = renderReject }); window.o365ShellPostRenderPromise = new Promise(function (prResolve,prReject) { window.o365ShellPostRenderPromiseResolve = prResolve, window.o365ShellPostRenderPromiseReject = prReject });var executeSuiteNav = function () {var suiteNavPlaceholder = document.createElement('div');suiteNavPlaceholder.id = 'SuiteNavPlaceholder';suiteNavPlaceholder.style = "min-height: 48px";document.body.insertBefore(suiteNavPlaceholder, document.body.firstChild);if (window.o365ShellScriptLoadError) {o365ShellLoadPromiseReject(window.o365ShellScriptLoadError);o365ShellRenderPromiseReject(new Error('SuiteNavLoadError'));o365ShellPostRenderPromiseReject(new Error('SuiteNavLoadError'));return; }o365ShellLoadPromiseResolve();var themeData = {Primary:'#0078D4'};var searchQueryViewParam = window.location.search.substring(1).split('&').filter(function (s) { return s.indexOf('q=')===0; })[0]; var searchQuery = searchQueryViewParam ? decodeURIComponent(searchQueryViewParam.substring(2)) : ''; (typeof markPerfStage === 'function' && markPerfStage('suiteNavRenderAsyncStart'));O365Shell.RenderAsync({top: 'SuiteNavPlaceholder', layout: 'Mouse', enableSearchUX: true, initialSearchUXVisibility: true, initialSearchUXPlaceholderText: 'Search', initialSearchUXSearchText: searchQuery, enableDelayLoading: true, collapseO365Settings: true, disableDelayLoad: false, disableShellPlus: false, isThinHeader: true, enableLegacyResponsiveBehavior: false, expectSearchBoxSettings: true, shellAuthProviderConfig: { type: 'webAadWithMsaProxy', login_Hint: 'Mike.Tocher@trwd.com', appSignInUrl: 'https://www.office.com/login?prompt=select_account&ru=%2Flaunch%2Fsharepoint', appSignOutUrl: 'https:\u002f\u002ftrwd.sharepoint.com\u002fsites\u002ftrwdsecresponseteam/_layouts/15/SignOut.aspx', appSwitchUrl: 'https://www.office.com/login?prompt=select_account&ru=%2Flaunch%2Fsharepoint', appSwitchToUrl: function(params) { var n = params && params.nextAccount; if(!n) { return ''; } return (!n.type \|\| n.type.toLowerCase() === 'aad' ? 'https://www.office.com/login?ru=%2Flaunch%2Fsharepoint' : 'https://onedrive.live.com/?gologin=1') + (n.memberName ? '&login_hint=' + encodeURIComponent(n.memberName) : ''); }, aad: { appId: '00000003-0000-0ff1-ce00-000000000000', wreply: 'https:\u002f\u002ftrwd.sharepoint.com\u002f_forms\u002fdefault.aspx' }, msa: { siteId:'250206', wreply: 'https:\u002f\u002ftrwd.sharepoint.com\u002f_forms\u002fdefault.aspx' } }, shellDataOverrides: {AccountSwitchingEnabled: true,DisableMASTPopup: true}, supportShyHeaderMode: true, shyHeaderActivationHeight:480, initialRenderData: { AppBrandTheme: themeData, DisableTheming: false, Culture: 'en-US', CurrentMainLinkElementId: 'ShellSites', IsConsumer: false, UserDisplayName: 'Mike Tocher', UserID: '10032003dad25cfe', WorkloadId: 'Sharepoint', ShellBootHost: 'https://shell.cdn.office.net', Environment: '', EnableVanillaSearchBox: true }},function () {(typeof markPerfStage === 'function' && markPerfStage('suiteNavRenderAsyncEnd'));o365ShellRenderPromiseResolve();},function () {(typeof markPerfStage === 'function' && markPerfStage('suiteNavPostRender'));o365ShellPostRenderPromiseResolve();},function (error) {(typeof markPerfStage === 'function' && markPerfStage('suiteNavRenderAsyncErrorEnd'));o365ShellRenderPromiseReject(error); o365ShellPostRenderPromiseReject(error);});}
URL: :// Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: ://
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "QuarantineMessage-3", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "QuarantineMessage-3", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/AllItems.htm Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.136.10	http://algestconsulting20-my.sharepoint.com/:f:/g/personal/jacques_cangah_algest-consulting_com/EkolIGllKGRKhe-gd4i73uMBzF46oqcv00d-WXGnz9D-Fw	Get hash	malicious	Unknown	Browse	algestconsulting20-my.sharepoint.com/:f:/g/personal/jacques_cangah_algest-consulting_com/EkolIGllKGRKhe-gd4i73uMBzF46oqcv00d-WXGnz9D-Fw
	http://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7g	Get hash	malicious	HTMLPhisher	Browse	bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7g
	http://midlandlangarsevasociety-my.sharepoint.com/:w:/g/personal/sharon_bharaj_mlss_org_uk/EWiGFFYhPhtPjz5jsZdcRooBPGLh-q5SsgwgIhmP7JCmAg	Get hash	malicious	HTMLPhisher	Browse	midlandlangarsevasociety-my.sharepoint.com/:w:/g/personal/sharon_bharaj_mlss_org_uk/EWiGFFYhPhtPjz5jsZdcRooBPGLh-q5SsgwgIhmP7JCmAg
239.255.255.250	http://stereospoutfireextinguisher.com	Get hash	malicious	Unknown	Browse
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse
	ZipThis.exe	Get hash	malicious	Unknown	Browse
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse
	https://ukg.login-us.mimecast.com	Get hash	malicious	Unknown	Browse
	https://scales.mn/file/one-drv11.html	Get hash	malicious	Unknown	Browse
	http://click.pstmrk.it	Get hash	malicious	Unknown	Browse
	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse
	https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0	Get hash	malicious	Unknown	Browse
	http://joeschmidtmusic.net	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0036.t-0009.t-msedge.net	https://hffa.studycentrecpfc.com/D9ns6.studycentrecpfc.com/bUhZb/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	https://t.ly/ShNFU	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	https://viewstripo.email/680864d7-5609-4e6a-8914-c4d257d4c5ee1731949744848	Get hash	malicious	Unknown	Browse	13.107.246.64
	Play_vm_Message_for_Melissa.medina_wav_ .htm	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	https://url11.kmt4ispayroll.com/?id=eyJlbWFpbF9pZCI6ImRnVER4d2NEQVAyTURfeU1Ed0dUSlVtb194VC0xeUp6Wk-t3aldrdz0iLCJocmVmIjoiaHR0cHM6Ly90Lm1lL3N0YWN5X215YnJvY2FyZCIs-ImludGVybmFsIjoiYzNjNzA3MDhmYzM5ZmQ4YzBmIiwibGlua19pZCI6ODY4fQ-e06f9243688f8d3f6986ffbedf3a11c620bbea820e86e17c3fd3a4979cbc3e26AOMMRkVTE4y4i4MhR8PO5Li1enwscIrfMMFkF0FdObryKs8IHKZe9lNXxCYB	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	#U25b6#Ufe0fVmail__00_15.html	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	https://grandpasbs.com/wp-includes/o/?c3Y9bzM2NV8xX3NwJnJhbmQ9ZG1KdWNsTT0mdWlkPVVTRVIwMzEwMjAyNFU0MjEwMDMzMA==N0123N	Get hash	malicious	Mamba2FA	Browse	13.107.246.64
	https://astonishing-maize-sunstone.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	OZ1ORrbotn.exe	Get hash	malicious	Mammon, TrojanRansom, Xmrig	Browse	13.107.246.64
	https://api.inspectrealestate.com.au/email/track?eta=1&t=B32-5UARLGTXC6GHXC7PJPHCGUP7HMF6FJEQ76L6MOL7WYB6P6EYQNBONANBBGKOXFRO3HPDET5TXGOZXG5FJNMJJC437YUYUWDF5VEVIWPK6LECEZJV3OMRCXF6VI76ZOGYOFIOERVACTHYB4KHK22IKKEWLYPTUBLONXLA7QVY2SW2TZMW4ULVG2UAKDR3DM3RL4TTJAF3F3ROXQ3ZLRVYS7Z2T4TIQETEEUV73V42AQLF65YKSUX6JMYEW3ZHXPREAMXXBOQV32GKOYOISFZKX4GPTPR2IMSMCULLR2V4QUSMU3MWF7NQ%3D%3D%3D%3D	Get hash	malicious	Unknown	Browse	13.107.246.64
s-part-0017.t-0009.t-msedge.net	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://scales.mn/file/one-drv11.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://click.pstmrk.it	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0	Get hash	malicious	Unknown	Browse	13.107.246.45
	KHK0987.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://u1427642.ct.sendgrid.net/ss/c/u001.FNsPiHUBxMFL4Ws_sT4ClbcHyliF9aYYaCWsJtTBDNtLQl9ZlDrQgriglBxgGE9RruWvR9yDlYrq9sYDXn9m2QBHZNBT8lOXoCfvqrsEWDs/4cw/m3JxW_wISSqopMaBzhDAkg/h0/h001.ecTtgKjf7ojZqznHApcdI1yRZPedj7DDFJ38_Fw-Xx8	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	A7GSBA08HBVVDSA_pdf.lnk	Get hash	malicious	Unknown	Browse	13.107.246.45
dual-spo-0005.spo-msedge.net	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://ocemt-my.sharepoint.com/:o:/g/personal/cgremel_ocemt_edu/El0lVz9DgmtMsBazSuh3bdYBcfj71dOqNLuq6XsKZMLXlA?e=5%3axcx4cZ&at=9	Get hash	malicious	Unknown	Browse	13.107.136.10
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	13.107.136.10
	https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4Y	Get hash	malicious	Unknown	Browse	13.107.136.10
	https://mailustabucaedu-my.sharepoint.com/:u:/g/personal/stella_pabon_ustabuca_edu_co/EWCk8BqICKBBrExz32n-PvYBCVoLK4PToNCGKPT0vElGYg?e=w0tQWE	Get hash	malicious	Unknown	Browse	13.107.136.10
	https://mailustabucaedu-my.sharepoint.com/:u:/g/personal/stella_pabon_ustabuca_edu_co/EWCk8BqICKBBrExz32n-PvYBCVoLK4PToNCGKPT0vElGYg?e=w0tQWE	Get hash	malicious	Unknown	Browse	13.107.136.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://click.pstmrk.it	Get hash	malicious	Unknown	Browse	20.10.16.51
	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse	40.126.32.138
	http://phothockey.ch	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	13.107.42.14
	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	104.47.55.156
	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	104.47.55.156
	https://hacdct-my.sharepoint.com/:f:/g/personal/dmarra_hacdct_org/El0CfhNMVMNNuzPj6QGnrSQBywVLNW96w_XrX10UdRlfmQ?email=dhodder%40haigroup.com&e=d37USF&xsdata=MDV8MDJ8am1ja2lubGV5QGhhaWdyb3VwLmNvbXwyYzYxNmM3ZDhlNmU0YWM5MDJlMjA4ZGQyZTYzYjFmMnw4MjgxNWI4YzM3NzU0NTk5OTdjNzJiODc1MjhlNmY4M3wwfDB8NjM4NzE3NzMyNjY3MjIxNDQzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXw0MDAwfHx8&sdata=bXM5KzduUjdVc3RFaFJsU1ZBR1d1enMxT3I3VitIdmc4MUlhZ25WT3dmWT0%3d	Get hash	malicious	HTMLPhisher	Browse	104.47.66.28
	http://103-198-26-128.hinet-ip.hinet.net/wp/plugins/Tracking/click/php/SuperTracking.html#UUJWakY1bVdkWlZQejIwbVl3cDFHb2haOENXZVhYZlpLTUNSU2x1eEVCdGJtbVhKT0ZWNkVTNjlQSXJDLzI3ekErVVlzTkFZbkh5T29jeG1LcWM4YkJUekd2M2h4amIxRWZ4am4va3cvOVk9	Get hash	malicious	Unknown	Browse	20.10.16.51
	malware.bat	Get hash	malicious	PureLog Stealer, RHADAMANTHYS	Browse	52.168.117.173

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\Google.Widevine.CDM.dll	#Employee-Letter.pdf	Get hash	malicious	Unknown	Browse
	index.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	aspweb88.exe	Get hash	malicious	Unknown	Browse
	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse
	217469812STM.pdf	Get hash	malicious	ScreenConnect Tool, Phisher	Browse
	NW_EmployerNewsletter_11142024_pdf.html	Get hash	malicious	Unknown	Browse
	Benefits_Update_2024.pdf	Get hash	malicious	Unknown	Browse
	11sds_Invoice_9334749.html	Get hash	malicious	WinSearchAbuse	Browse
	Request_for_Title_Commitment.html	Get hash	malicious	Unknown	Browse

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2877728
Entropy (8bit):	6.868480682648069
Encrypted:	false
SSDEEP:	49152:GB6BoH5sOI2CHusbKOdskuoHHVjcY94RNETO2WYA4oPToqnQ3dK5zuqvGKGxofFo:M67hlnVjcYGRNETO2WYA4oLoqnJuZI5
MD5:	477C17B6448695110B4D227664AA3C48
SHA1:	949FF1136E0971A0176F6ADEA8ADCC0DD6030F22
SHA-256:	CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
SHA-512:	1E267B01A78BE40E7A02612B331B1D9291DA8E4330DEA10BF786ACBC69F25E0BAECE45FB3BAFE1F4389F420EBAA62373E4F035A45E34EADA6F72C7C61D2302ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #Employee-Letter.pdf, Detection: malicious, Browse Filename: index.html, Detection: malicious, Browse Filename: YF3YnL4ksc.exe, Detection: malicious, Browse Filename: aspweb88.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 217469812STM.pdf, Detection: malicious, Browse Filename: NW_EmployerNewsletter_11142024_pdf.html, Detection: malicious, Browse Filename: Benefits_Update_2024.pdf, Detection: malicious, Browse Filename: 11sds_Invoice_9334749.html, Detection: malicious, Browse Filename: Request_for_Title_Commitment.html, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....fd.........." ......(..........A&.......................................,.......,...`A.........................................V......V......`,......`+..p....+. )...p,......D.8....................C.(.....(.8...........p\..............................text.....(.......(................. ..`.rdata..h.....(.......(.............@..@.data....l......&.................@....pdata...p...`+..r.................@..@.00cfg..(.....+......p+.............@..@.gxfg....$....+..&...r+.............@..@.retplnel.... ,.......+..................tls.........0,.......+.............@....voltbl.D....@,.......+................._RDATA.......P,.......+.............@..@.rsrc........`,.......+.............@..@.reloc.......p,.......+.............@..B........................................................................................................................................

File type:	HTML document, ASCII text, with very long lines (64380)
Entropy (8bit):	5.549323785700551
TrID:	Scalable Vector Graphics (18501/1) 28.03% HyperText Markup Language with DOCTYPE (12503/2) 18.94% HyperText Markup Language (12001/1) 18.18% HyperText Markup Language (12001/1) 18.18% HyperText Markup Language (11001/1) 16.67%
File name:	AllItems.htm
File size:	969'437 bytes
MD5:	f6b200ff75fb02b13238f7aa6eef9884
SHA1:	6659fae7863d8f297ac7b73b9868a1f151d34c87
SHA256:	65a5d32dee75db73ea0801727911a7cb6a4aebeb9c016168e7bd2089b818b45f
SHA512:	f80b9c60e0f44a75b11a357b603fad1197d2ea4e454c6488b5be5c2b5355693df6228123df101b496cc606a3beb7f634702748f5413452dca59524bb69d62f6d
SSDEEP:	12288:SjEwBoR+BwoS5NeGNEfAzG3hMcfAzG3hMgPXjEwBE4:JRtoS5NciWi34
TLSH:	B0257D195050A471E2965AC92770BFB72FBF417B88857C08B25DCB8C83F69BF31A1627
File Content Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">. saved from url=(0256)https://trwd.sharepoint.com/sites/trwdsecresponseteam/Shared%20Documents/Forms/AllItems.aspx?id=%2Fsites%2Ftrwdsecrespo

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 20:58:36.068859100 CET	49675	443	192.168.2.4	173.222.162.32
Jan 6, 2025 20:58:48.254138947 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.254194975 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.254278898 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.254477024 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.254545927 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.254726887 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.255163908 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.255176067 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.255676031 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.255688906 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.804666996 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.805047035 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.805068016 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.805972099 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.806046963 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.807270050 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.807337999 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.807966948 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.807975054 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.808418989 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.809004068 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.809015036 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.810332060 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.810380936 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.814181089 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.814254045 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.814475060 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.814481974 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:48.985131979 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:48.985136986 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:49.059962988 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:49.060039997 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:49.060091019 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:49.061639071 CET	49764	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:49.061659098 CET	443	49764	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:49.399235964 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:49.399329901 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:49.399488926 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:49.487678051 CET	49763	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:49.487708092 CET	443	49763	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:50.088305950 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.088356972 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.088413954 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.088995934 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.089009047 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.728010893 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.728250027 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.728271961 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.729290962 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.729362011 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.734544992 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.734632015 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.787868023 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:50.787877083 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:58:50.906126976 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:58:56.797683001 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:56.797691107 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:56.797759056 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:56.798176050 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:56.798187017 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.367748022 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.368110895 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.368139982 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.368495941 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.373193026 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.373259068 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.373276949 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.419332981 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.422454119 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.547226906 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.547251940 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.547552109 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.547570944 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.547629118 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.547663927 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.547693014 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.547700882 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.548017979 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.548038960 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.548080921 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.550564051 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.554367065 CET	49850	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.554397106 CET	443	49850	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.680874109 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.680901051 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:57.681060076 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.681329012 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:57.681348085 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.247648954 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.247956991 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.247976065 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.249015093 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.249072075 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.249641895 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.249701023 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.250056028 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.250062943 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.291296005 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.415015936 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.415039062 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.415083885 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.415096045 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.415141106 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.415494919 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.415548086 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.415889025 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.415949106 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:58:58.415992022 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.416706085 CET	49852	443	192.168.2.4	13.107.136.10
Jan 6, 2025 20:58:58.416723013 CET	443	49852	13.107.136.10	192.168.2.4
Jan 6, 2025 20:59:00.654675007 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:00.654743910 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:00.654808044 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:00.712452888 CET	49781	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:00.712466955 CET	443	49781	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:43.724147081 CET	49724	80	192.168.2.4	2.22.50.131
Jan 6, 2025 20:59:43.724149942 CET	49723	80	192.168.2.4	2.22.50.131
Jan 6, 2025 20:59:43.729193926 CET	80	49723	2.22.50.131	192.168.2.4
Jan 6, 2025 20:59:43.729250908 CET	49723	80	192.168.2.4	2.22.50.131
Jan 6, 2025 20:59:43.729672909 CET	80	49724	2.22.50.131	192.168.2.4
Jan 6, 2025 20:59:43.729742050 CET	49724	80	192.168.2.4	2.22.50.131
Jan 6, 2025 20:59:47.357023001 CET	58140	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:47.361774921 CET	53	58140	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:47.361836910 CET	58140	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:47.366647959 CET	53	58140	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:47.828500986 CET	58140	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:47.833482027 CET	53	58140	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:47.833525896 CET	58140	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:50.132529974 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:50.132555962 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:50.132611990 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:50.132816076 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:50.132828951 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:50.793132067 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:50.793309927 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:50.793324947 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:50.793623924 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:50.793884039 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 20:59:50.793941021 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 20:59:50.848695040 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:00.731180906 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:00.731244087 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:00.731314898 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:02.086011887 CET	58156	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:02.086034060 CET	443	58156	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.195131063 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:50.195172071 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.195270061 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:50.195491076 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:50.195507050 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.883024931 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.883379936 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:50.883415937 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.883749962 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.884052992 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:00:50.884130001 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:00:50.928555965 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:01:00.808415890 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:01:00.808478117 CET	443	58317	172.217.18.4	192.168.2.4
Jan 6, 2025 21:01:00.808553934 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:01:01.257056952 CET	58317	443	192.168.2.4	172.217.18.4
Jan 6, 2025 21:01:01.257091999 CET	443	58317	172.217.18.4	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 20:58:45.850908995 CET	53	63368	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:45.855325937 CET	53	52144	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:47.162280083 CET	53	58413	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:48.191030025 CET	56914	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:48.191198111 CET	52342	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:50.078965902 CET	53480	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:50.079514980 CET	62902	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:50.085746050 CET	53	53480	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:50.086309910 CET	53	62902	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:50.124437094 CET	51580	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:50.124672890 CET	52574	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:54.572134972 CET	52448	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:54.572299957 CET	64153	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:54.611057043 CET	63283	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:54.611216068 CET	60315	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:55.336992979 CET	138	138	192.168.2.4	192.168.2.255
Jan 6, 2025 20:58:57.589303970 CET	62636	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:57.589620113 CET	49507	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:57.825355053 CET	53	61388	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:58.049797058 CET	53651	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:58.049954891 CET	63210	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:58:58.056600094 CET	53	53651	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:58.058197021 CET	53	63210	1.1.1.1	192.168.2.4
Jan 6, 2025 20:58:59.271058083 CET	53	53729	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:04.204899073 CET	53	58878	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:23.247597933 CET	53	53197	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:45.374865055 CET	53	51626	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:45.591993093 CET	53	57925	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:47.356630087 CET	53	64977	1.1.1.1	192.168.2.4
Jan 6, 2025 20:59:50.131508112 CET	56574	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:50.131663084 CET	63009	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:51.040945053 CET	62153	53	192.168.2.4	1.1.1.1
Jan 6, 2025 20:59:51.041136026 CET	57154	53	192.168.2.4	1.1.1.1
Jan 6, 2025 21:00:15.357528925 CET	53	63197	1.1.1.1	192.168.2.4
Jan 6, 2025 21:00:47.764192104 CET	53	49315	1.1.1.1	192.168.2.4
Jan 6, 2025 21:01:01.282167912 CET	53	64159	1.1.1.1	192.168.2.4
Jan 6, 2025 21:01:50.147881031 CET	50061	53	192.168.2.4	1.1.1.1
Jan 6, 2025 21:01:50.148199081 CET	56192	53	192.168.2.4	1.1.1.1
Jan 6, 2025 21:01:50.148916006 CET	54678	53	192.168.2.4	1.1.1.1
Jan 6, 2025 21:01:50.149055958 CET	58090	53	192.168.2.4	1.1.1.1
Jan 6, 2025 21:01:53.635329962 CET	53	51692	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 20:58:48.216489077 CET	1.1.1.1	192.168.2.4	0x8d2b	No error (0)	trwd.sharepoint.com	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.216489077 CET	1.1.1.1	192.168.2.4	0x8d2b	No error (0)	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.216489077 CET	1.1.1.1	192.168.2.4	0x8d2b	No error (0)	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.sharepointonline.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.231642008 CET	1.1.1.1	192.168.2.4	0x5126	No error (0)	trwd.sharepoint.com	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.231642008 CET	1.1.1.1	192.168.2.4	0x5126	No error (0)	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.231642008 CET	1.1.1.1	192.168.2.4	0x5126	No error (0)	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.sharepointonline.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.231642008 CET	1.1.1.1	192.168.2.4	0x5126	No error (0)	193287-ipv4v6.farm.dprodmgd105.aa-rt.sharepoint.com.dual-spo-0005.spo-msedge.net	dual-spo-0005.spo-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:48.231642008 CET	1.1.1.1	192.168.2.4	0x5126	No error (0)	dual-spo-0005.spo-msedge.net		13.107.136.10	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:48.231642008 CET	1.1.1.1	192.168.2.4	0x5126	No error (0)	dual-spo-0005.spo-msedge.net		13.107.138.10	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:50.085746050 CET	1.1.1.1	192.168.2.4	0x5367	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:50.086309910 CET	1.1.1.1	192.168.2.4	0xcb17	No error (0)	www.google.com			65	IN (0x0001)	false
Jan 6, 2025 20:58:50.131823063 CET	1.1.1.1	192.168.2.4	0x48e0	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:50.132122993 CET	1.1.1.1	192.168.2.4	0x6ff8	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:54.578960896 CET	1.1.1.1	192.168.2.4	0xb2d	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:54.579870939 CET	1.1.1.1	192.168.2.4	0xaf69	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:54.618141890 CET	1.1.1.1	192.168.2.4	0xc622	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:54.618155003 CET	1.1.1.1	192.168.2.4	0x8d4f	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:55.888696909 CET	1.1.1.1	192.168.2.4	0xff62	No error (0)	shed.dual-low.s-part-0036.t-0009.t-msedge.net	s-part-0036.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:55.888696909 CET	1.1.1.1	192.168.2.4	0xff62	No error (0)	s-part-0036.t-0009.t-msedge.net		13.107.246.64	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:56.735851049 CET	1.1.1.1	192.168.2.4	0x399d	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:56.735851049 CET	1.1.1.1	192.168.2.4	0x399d	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:57.633233070 CET	1.1.1.1	192.168.2.4	0x9b3d	No error (0)	trwd.sharepoint.com	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.633233070 CET	1.1.1.1	192.168.2.4	0x9b3d	No error (0)	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.633233070 CET	1.1.1.1	192.168.2.4	0x9b3d	No error (0)	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.sharepointonline.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.634607077 CET	1.1.1.1	192.168.2.4	0x248f	No error (0)	trwd.sharepoint.com	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.634607077 CET	1.1.1.1	192.168.2.4	0x248f	No error (0)	2924-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.634607077 CET	1.1.1.1	192.168.2.4	0x248f	No error (0)	193287-ipv4v6e.farm.dprodmgd105.aa-rt.sharepoint.com	193287-ipv4v6e.farm.dprodmgd105.sharepointonline.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.634607077 CET	1.1.1.1	192.168.2.4	0x248f	No error (0)	193287-ipv4v6.farm.dprodmgd105.aa-rt.sharepoint.com.dual-spo-0005.spo-msedge.net	dual-spo-0005.spo-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:57.634607077 CET	1.1.1.1	192.168.2.4	0x248f	No error (0)	dual-spo-0005.spo-msedge.net		13.107.136.10	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:57.634607077 CET	1.1.1.1	192.168.2.4	0x248f	No error (0)	dual-spo-0005.spo-msedge.net		13.107.138.10	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:58.056600094 CET	1.1.1.1	192.168.2.4	0x7857	No error (0)	aadcdn.msftauth.net	scdn38e6f.wpc.9be8f.omegacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:58.056600094 CET	1.1.1.1	192.168.2.4	0x7857	No error (0)	scdn38e6f.wpc.9be8f.omegacdn.net	sni1gl.wpc.omegacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:58.056600094 CET	1.1.1.1	192.168.2.4	0x7857	No error (0)	sni1gl.wpc.omegacdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
Jan 6, 2025 20:58:58.058197021 CET	1.1.1.1	192.168.2.4	0x661e	No error (0)	aadcdn.msftauth.net	scdn38e6f.wpc.9be8f.omegacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:58:58.058197021 CET	1.1.1.1	192.168.2.4	0x661e	No error (0)	scdn38e6f.wpc.9be8f.omegacdn.net	sni1gl.wpc.omegacdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:59:50.140815020 CET	1.1.1.1	192.168.2.4	0x7f15	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:59:50.141098022 CET	1.1.1.1	192.168.2.4	0x2ea1	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:59:51.047909975 CET	1.1.1.1	192.168.2.4	0xda76	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 20:59:51.048604012 CET	1.1.1.1	192.168.2.4	0x5604	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 21:01:50.154567957 CET	1.1.1.1	192.168.2.4	0xd64e	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 21:01:50.155458927 CET	1.1.1.1	192.168.2.4	0x8261	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 21:01:50.155642033 CET	1.1.1.1	192.168.2.4	0x1304	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 21:01:50.156323910 CET	1.1.1.1	192.168.2.4	0x28d4	No error (0)	m365cdn.nel.measure.office.net	nel.measure.office.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2025-01-06 19:58:48 UTC	593	OUT	GET /sites/apps/ClientSideAssets/27fe8d27-ddaa-4de9-ad0e-01deffdee2e8/nitro-pro-command-set_c69ae53f4c80ee966df6.js HTTP/1.1 Host: trwd.sharepoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-06 19:58:49 UTC	932	IN	HTTP/1.1 401 Unauthorized Content-Length: 16 Content-Type: text/plain; charset=utf-8 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-NetworkStatistics: 0,1051136,62,182,429662,0,708853,61 X-SharePointHealthScore: 2 X-DataBoundary: NONE X-1DSCollectorUrl: https://mobile.events.data.microsoft.com/OneCollector/1.0/ X-AriaCollectorURL: https://browser.pipe.aria.microsoft.com/Collector/3.0/ SPRequestGuid: faf574a1-70c4-7000-5f0e-6c9aff001409 request-id: faf574a1-70c4-7000-5f0e-6c9aff001409 MS-CV: oXT1+sRwAHBfDmya/wAUCQ.0 X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 16.0.0.25520 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 85F3B8CFE84E4448B567EEC65954E1EF Ref B: EWR311000106011 Ref C: 2025-01-06T19:58:48Z Date: Mon, 06 Jan 2025 19:58:48 GMT Connection: close
2025-01-06 19:58:49 UTC	16	IN	Data Raw: 34 30 31 20 55 4e 41 55 54 48 4f 52 49 5a 45 44 Data Ascii: 401 UNAUTHORIZED

Timestamp	Bytes transferred	Direction	Data
2025-01-06 19:58:57 UTC	583	OUT	GET /_layouts/15/images/favicon.ico?%20rev=47 HTTP/1.1 Host: trwd.sharepoint.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-06 19:58:57 UTC	735	IN	HTTP/1.1 200 OK Cache-Control: max-age=31536000 Content-Length: 7886 Content-Type: image/x-icon Last-Modified: Thu, 19 Dec 2024 04:25:08 GMT Accept-Ranges: bytes ETag: "c38b4efccd51db1:0" P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-NetworkStatistics: 0,525568,0,178,170614,0,434776,57 SPRequestDuration: 3 SPIisLatency: 0 X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 16.0.0.25520 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: A6E9A35E30C742E796DB3938CF94D74F Ref B: EWR311000103037 Ref C: 2025-01-06T19:58:57Z Date: Mon, 06 Jan 2025 19:58:56 GMT Connection: close
2025-01-06 19:58:57 UTC	1468	IN	Data Raw: 00 00 01 00 03 00 20 20 00 00 01 00 20 00 a8 10 00 00 36 00 00 00 18 18 00 00 01 00 20 00 88 09 00 00 de 10 00 00 10 10 00 00 01 00 20 00 68 04 00 00 66 1a 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c6 37 30 d0 c6 37 af d0 c6 37 ff d0 c6 37 ff d0 c6 37 ff d0 c6 37 ff d0 c6 37 af d0 c6 37 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 6 hf( @ 7077777770
2025-01-06 19:58:57 UTC	6418	IN	Data Raw: 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a 60 87 83 03 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff da d8 b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff d2 d1 a1 ff 8f 8b 13 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff 78 72 1f ff bb b2 31 ff d0 c6 37 ff d0 c6 37 ff b3 ab 25 ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a af 87 83 03 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff ff ff ff ff f8 f7 ef ff e1 e0 c0 ff e1 e0 c0 ff ff ff ff ff ff ff ff ff d2 d1 a1 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff 87 83 03 ff 78 72 1f ff bb b2 31 ff c1 b9 2e ff aa a3 1f ff a1 9b 1a ff a1 9b 1a ff a1 9b 1a ff a1 Data Ascii: `xr177%xr1.

Timestamp	Bytes transferred	Direction	Data
2025-01-06 19:58:58 UTC	383	OUT	GET /_layouts/15/images/favicon.ico?%20rev=47 HTTP/1.1 Host: trwd.sharepoint.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-06 19:58:58 UTC	737	IN	HTTP/1.1 200 OK Cache-Control: max-age=31536000 Content-Length: 7886 Content-Type: image/x-icon Last-Modified: Thu, 19 Dec 2024 04:25:08 GMT Accept-Ranges: bytes ETag: "c38b4efccd51db1:0" P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-NetworkStatistics: 0,2102272,0,236,2982784,0,973179,57 SPRequestDuration: 3 SPIisLatency: 0 X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 16.0.0.25520 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 91071EC90FB14F1FAB0CC9BA34C3B275 Ref B: EWR311000106053 Ref C: 2025-01-06T19:58:58Z Date: Mon, 06 Jan 2025 19:58:57 GMT Connection: close
2025-01-06 19:58:58 UTC	3433	IN	Data Raw: 00 00 01 00 03 00 20 20 00 00 01 00 20 00 a8 10 00 00 36 00 00 00 18 18 00 00 01 00 20 00 88 09 00 00 de 10 00 00 10 10 00 00 01 00 20 00 68 04 00 00 66 1a 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c6 37 30 d0 c6 37 af d0 c6 37 ff d0 c6 37 ff d0 c6 37 ff d0 c6 37 ff d0 c6 37 af d0 c6 37 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 6 hf( @ 7077777770
2025-01-06 19:58:58 UTC	4453	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 70 6c 03 bf 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 6c 03 40 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 ff 70 6c 03 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: plplplplplplplplplplplplplplplplplplpl@plplplplplplplplplplplplplplplplpl@

Target ID:	0
Start time:	14:58:41
Start date:	06/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\AllItems.htm"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	14:58:44
Start date:	06/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2168,i,5801467971831341747,16495345318854504296,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AllItems.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_256828101\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_591800032\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\Filtering Rules

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\LICENSE.txt

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_897606596\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\_platform_specific\win_x64\widevinecdm.dll.sig

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6408_973667863\manifest.json

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 158

Windows Analysis Report
AllItems.htm