Edit tour

Windows Analysis Report
https://merge-d78e7.web.app/mail-merge-for-gmail.gif

Overview

General Information

Sample URL:	https://merge-d78e7.web.app/mail-merge-for-gmail.gif
Analysis ID:	1585843
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2000,i,13647905409609027287,17222081618246682658,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://merge-d78e7.web.app/mail-merge-for-gmail.gif" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 2001Cache-Control: max-age=3600Content-Type: text/html; charset=utf-8Etag: "ea702d5454be80ff40345edff43e1aac085c1c2145f6315b87465870ac2f41ef"Last-Modified: Thu, 25 Aug 2022 21:36:57 GMTStrict-Transport-Security: max-age=31556926; includeSubDomains; preloadAccept-Ranges: bytesDate: Wed, 08 Jan 2025 09:52:17 GMTX-Served-By: cache-ewr-kewr1740059-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1736329938.506934,VS0,VE94Vary: x-fh-requested-host, accept-encodingalt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400

Source: sets.json.0.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.0.dr	String found in binary or memory: https://24.hu
Source: sets.json.0.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.0.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.0.dr	String found in binary or memory: https://alice.tw
Source: sets.json.0.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.0.dr	String found in binary or memory: https://autobild.de
Source: sets.json.0.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.0.dr	String found in binary or memory: https://bild.de
Source: sets.json.0.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.0.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.0.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.0.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.0.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.0.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.0.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.0.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.0.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.0.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.0.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.0.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.0.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.0.dr	String found in binary or memory: https://chennien.com
Source: sets.json.0.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.0.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.0.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.0.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.0.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.0.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.0.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.0.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.0.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.0.dr	String found in binary or memory: https://css-load.com
Source: sets.json.0.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.0.dr	String found in binary or memory: https://deere.com
Source: sets.json.0.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.0.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.0.dr	String found in binary or memory: https://drimer.io
Source: sets.json.0.dr	String found in binary or memory: https://drimer.travel
Source: sets.json.0.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.0.dr	String found in binary or memory: https://een.be
Source: sets.json.0.dr	String found in binary or memory: https://efront.com
Source: sets.json.0.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.0.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.0.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.0.dr	String found in binary or memory: https://ella.sv
Source: sets.json.0.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.0.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.0.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.0.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.0.dr	String found in binary or memory: https://finn.no
Source: sets.json.0.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.0.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.0.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.0.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.0.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://grid.id
Source: sets.json.0.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.0.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.0.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.0.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://hapara.com
Source: sets.json.0.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1.global
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.0.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.0.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.0.dr	String found in binary or memory: https://hearty.app
Source: sets.json.0.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.0.dr	String found in binary or memory: https://hearty.me
Source: sets.json.0.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.0.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.0.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.0.dr	String found in binary or memory: https://hj.rs
Source: sets.json.0.dr	String found in binary or memory: https://hjck.com
Source: sets.json.0.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.0.dr	String found in binary or memory: https://html-load.com
Source: sets.json.0.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.0.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.0.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.0.dr	String found in binary or memory: https://img-load.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.0.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.0.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.0.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.0.dr	String found in binary or memory: https://interia.pl
Source: sets.json.0.dr	String found in binary or memory: https://intoday.in
Source: sets.json.0.dr	String found in binary or memory: https://iolam.it
Source: sets.json.0.dr	String found in binary or memory: https://ishares.com
Source: sets.json.0.dr	String found in binary or memory: https://jagran.com
Source: sets.json.0.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.0.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.0.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.0.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.com
Source: sets.json.0.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.0.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.0.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.0.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.0.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.0.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.0.dr	String found in binary or memory: https://libero.it
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.0.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.0.dr	String found in binary or memory: https://livechat.com
Source: sets.json.0.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.0.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.0.dr	String found in binary or memory: https://livemint.com
Source: sets.json.0.dr	String found in binary or memory: https://max.auto
Source: sets.json.0.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.0.dr	String found in binary or memory: https://meo.pt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.0.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.0.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.0.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.0.dr	String found in binary or memory: https://money.pl
Source: sets.json.0.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.0.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://nacion.com
Source: sets.json.0.dr	String found in binary or memory: https://naukri.com
Source: sets.json.0.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.co
Source: sets.json.0.dr	String found in binary or memory: https://nien.com
Source: sets.json.0.dr	String found in binary or memory: https://nien.org
Source: sets.json.0.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.0.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.0.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.0.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.0.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.0.dr	String found in binary or memory: https://o2.pl
Source: sets.json.0.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.0.dr	String found in binary or memory: https://onet.pl
Source: sets.json.0.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.0.dr	String found in binary or memory: https://p106.net
Source: sets.json.0.dr	String found in binary or memory: https://p24.hu
Source: sets.json.0.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.0.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.0.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.0.dr	String found in binary or memory: https://player.pl
Source: sets.json.0.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.0.dr	String found in binary or memory: https://poalim.site
Source: sets.json.0.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.0.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.0.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.0.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.0.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.0.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.0.dr	String found in binary or memory: https://radio1.be
Source: sets.json.0.dr	String found in binary or memory: https://radio2.be
Source: sets.json.0.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.0.dr	String found in binary or memory: https://repid.org
Source: sets.json.0.dr	String found in binary or memory: https://reshim.org
Source: sets.json.0.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.0.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.0.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.0.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.0.dr	String found in binary or memory: https://samayam.com
Source: sets.json.0.dr	String found in binary or memory: https://sapo.io
Source: sets.json.0.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.0.dr	String found in binary or memory: https://shock.co
Source: sets.json.0.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.0.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.0.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.0.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.0.dr	String found in binary or memory: https://songshare.com
Source: sets.json.0.dr	String found in binary or memory: https://songstats.com
Source: sets.json.0.dr	String found in binary or memory: https://sporza.be
Source: sets.json.0.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.0.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.0.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.0.dr	String found in binary or memory: https://stripe.com
Source: sets.json.0.dr	String found in binary or memory: https://stripe.network
Source: sets.json.0.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.0.dr	String found in binary or memory: https://supereva.it
Source: sets.json.0.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.0.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.0.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.0.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.0.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.0.dr	String found in binary or memory: https://text.com
Source: sets.json.0.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.0.dr	String found in binary or memory: https://the42.ie
Source: sets.json.0.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.0.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.0.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.0.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.0.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.0.dr	String found in binary or memory: https://top.pl
Source: sets.json.0.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.0.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.0.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.0.dr	String found in binary or memory: https://tvid.in
Source: sets.json.0.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.0.dr	String found in binary or memory: https://unotv.com
Source: sets.json.0.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.0.dr	String found in binary or memory: https://vrt.be
Source: sets.json.0.dr	String found in binary or memory: https://vwo.com
Source: sets.json.0.dr	String found in binary or memory: https://welt.de
Source: sets.json.0.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.0.dr	String found in binary or memory: https://wildix.com
Source: sets.json.0.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.0.dr	String found in binary or memory: https://wingify.com
Source: sets.json.0.dr	String found in binary or memory: https://wordle.at
Source: sets.json.0.dr	String found in binary or memory: https://wp.pl
Source: sets.json.0.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.0.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.0.dr	String found in binary or memory: https://ya.ru
Source: sets.json.0.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.0.dr	String found in binary or memory: https://zalo.me
Source: sets.json.0.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.0.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.0.dr	String found in binary or memory: https://zoom.com
Source: sets.json.0.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_1440_995970925

Jump to behavior

Source: classification engine

Classification label: mal48.win@17/9@4/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2000,i,13647905409609027287,17222081618246682658,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://merge-d78e7.web.app/mail-merge-for-gmail.gif"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2000,i,13647905409609027287,17222081618246682658,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://merge-d78e7.web.app/mail-merge-for-gmail.gif	100%	Avira URL Cloud	malware

Name	IP	Active	Malicious	Antivirus Detection	Reputation
merge-d78e7.web.app	199.36.158.100	true	false		unknown
www.google.com	172.217.18.4	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://wieistmeineip.de	sets.json.0.dr	false	high
https://mercadoshops.com.co	sets.json.0.dr	false	high
https://gliadomain.com	sets.json.0.dr	false	high
https://poalim.xyz	sets.json.0.dr	false	high
https://mercadolivre.com	sets.json.0.dr	false	high
https://reshim.org	sets.json.0.dr	false	high
https://nourishingpursuits.com	sets.json.0.dr	false	high
https://medonet.pl	sets.json.0.dr	false	high
https://unotv.com	sets.json.0.dr	false	high
https://mercadoshops.com.br	sets.json.0.dr	false	high
https://joyreactor.cc	sets.json.0.dr	false	high
https://zdrowietvn.pl	sets.json.0.dr	false	high
https://johndeere.com	sets.json.0.dr	false	high
https://songstats.com	sets.json.0.dr	false	high
https://baomoi.com	sets.json.0.dr	false	high
https://supereva.it	sets.json.0.dr	false	high
https://elfinancierocr.com	sets.json.0.dr	false	high
https://bolasport.com	sets.json.0.dr	false	high
https://rws1nvtvt.com	sets.json.0.dr	false	high
https://desimartini.com	sets.json.0.dr	false	high
https://hearty.app	sets.json.0.dr	false	high
https://hearty.gift	sets.json.0.dr	false	high
https://mercadoshops.com	sets.json.0.dr	false	high
https://heartymail.com	sets.json.0.dr	false	high
https://nlc.hu	sets.json.0.dr	false	high
https://p106.net	sets.json.0.dr	false	high
https://radio2.be	sets.json.0.dr	false	high
https://finn.no	sets.json.0.dr	false	high
https://hc1.com	sets.json.0.dr	false	high
https://kompas.tv	sets.json.0.dr	false	high
https://mystudentdashboard.com	sets.json.0.dr	false	high
https://songshare.com	sets.json.0.dr	false	high
https://smaker.pl	sets.json.0.dr	false	high
https://mercadopago.com.mx	sets.json.0.dr	false	high
https://p24.hu	sets.json.0.dr	false	high
https://talkdeskqaid.com	sets.json.0.dr	false	high
https://24.hu	sets.json.0.dr	false	high
https://mercadopago.com.pe	sets.json.0.dr	false	high
https://cardsayings.net	sets.json.0.dr	false	high
https://text.com	sets.json.0.dr	false	high
https://mightytext.net	sets.json.0.dr	false	high
https://pudelek.pl	sets.json.0.dr	false	high
https://hazipatika.com	sets.json.0.dr	false	high
https://joyreactor.com	sets.json.0.dr	false	high
https://cookreactor.com	sets.json.0.dr	false	high
https://wildixin.com	sets.json.0.dr	false	high
https://eworkbookcloud.com	sets.json.0.dr	false	high
https://cognitiveai.ru	sets.json.0.dr	false	high
https://nacion.com	sets.json.0.dr	false	high
https://chennien.com	sets.json.0.dr	false	high
https://drimer.travel	sets.json.0.dr	false	high
https://deccoria.pl	sets.json.0.dr	false	high
https://mercadopago.cl	sets.json.0.dr	false	high
https://talkdeskstgid.com	sets.json.0.dr	false	high
https://naukri.com	sets.json.0.dr	false	high
https://interia.pl	sets.json.0.dr	false	high
https://bonvivir.com	sets.json.0.dr	false	high
https://carcostadvisor.be	sets.json.0.dr	false	high
https://salemovetravel.com	sets.json.0.dr	false	high
https://sapo.io	sets.json.0.dr	false	high
https://wpext.pl	sets.json.0.dr	false	high
https://welt.de	sets.json.0.dr	false	high
https://poalim.site	sets.json.0.dr	false	high
https://drimer.io	sets.json.0.dr	false	high
https://infoedgeindia.com	sets.json.0.dr	false	high
https://blackrockadvisorelite.it	sets.json.0.dr	false	high
https://cognitive-ai.ru	sets.json.0.dr	false	high
https://cafemedia.com	sets.json.0.dr	false	high
https://graziadaily.co.uk	sets.json.0.dr	false	high
https://thirdspace.org.au	sets.json.0.dr	false	high
https://mercadoshops.com.ar	sets.json.0.dr	false	high
https://smpn106jkt.sch.id	sets.json.0.dr	false	high
https://elpais.uy	sets.json.0.dr	false	high
https://landyrev.com	sets.json.0.dr	false	high
https://the42.ie	sets.json.0.dr	false	high
https://commentcamarche.com	sets.json.0.dr	false	high
https://tucarro.com.ve	sets.json.0.dr	false	high
https://rws3nvtvt.com	sets.json.0.dr	false	high
https://eleconomista.net	sets.json.0.dr	false	high
https://helpdesk.com	sets.json.0.dr	false	high
https://mercadolivre.com.br	sets.json.0.dr	false	high
https://clmbtech.com	sets.json.0.dr	false	high
https://standardsandpraiserepurpose.com	sets.json.0.dr	false	high
https://07c225f3.online	sets.json.0.dr	false	high
https://salemovefinancial.com	sets.json.0.dr	false	high
https://mercadopago.com.br	sets.json.0.dr	false	high
https://zoom.us	sets.json.0.dr	false	high
https://commentcamarche.net	sets.json.0.dr	false	high
https://etfacademy.it	sets.json.0.dr	false	high
https://mighty-app.appspot.com	sets.json.0.dr	false	high
https://hj.rs	sets.json.0.dr	false	high
https://hearty.me	sets.json.0.dr	false	high
https://mercadolibre.com.gt	sets.json.0.dr	false	high
https://timesinternet.in	sets.json.0.dr	false	high
https://indiatodayne.in	sets.json.0.dr	false	high
https://idbs-staging.com	sets.json.0.dr	false	high
https://blackrock.com	sets.json.0.dr	false	high
https://idbs-eworkbook.com	sets.json.0.dr	false	high
https://motherandbaby.com	sets.json.0.dr	false	high
https://mercadolibre.co.cr	sets.json.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.36.158.100	merge-d78e7.web.app	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585843
Start date and time:	2025-01-08 10:51:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://merge-d78e7.web.app/mail-merge-for-gmail.gif
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@17/9@4/6

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.35, 142.250.184.238, 64.233.166.84, 216.58.206.78, 172.217.18.14, 2.22.50.144, 192.229.221.95, 142.250.185.238, 142.250.185.78, 142.250.181.238, 142.250.184.227, 34.104.35.123, 142.250.185.174, 23.56.254.164, 4.175.87.197, 13.107.253.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://merge-d78e7.web.app/mail-merge-for-gmail.gif

Input	Output
URL: https://merge-d78e7.web.app Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://merge-d78e7.web.app

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Reputation:	low
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.018989605004616
Encrypted:	false
SSDEEP:	48:p/hUI1OwEU3AdIq7ak68O40E2szOxxUJ8BPFkf31U4PrHfqY3J5D:RnOwtQIq7aZ40E2sYUJAYRr/qYZ5D
MD5:	C4709C1D483C9233A3A66A7E157624EA
SHA1:	99A000EB5FE5CC1E94E3155EE075CD6E43DC7582
SHA-256:	225243DC75352D63B0B9B2F48C8AAA09D55F3FB9E385741B12A1956A941880D9
SHA-512:	B45E1FD999D1340CC5EB5A49A4CD967DC736EA3F4EC8B02227577CC3D1E903341BE3217FBB0B74765C72085AC51C63EEF6DCB169D137BBAF3CC49E21EA6468D7
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJVczFpOUt3Zm5uMThTVVR1RVItRXBDTTMwVzFkNTc0cGJwUlJSdGJYM0JVIn0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiM0hiWThLc3poeEF6UDVSUU9fZEpvZGNwbEtpRXR0RWh2UmZMZEtjSTdjZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC4xMS44LjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"lGxZ1-AH7F8MftKSBdZiFULmC8hZkIHy1_2XIoU81Z5mK0wHVwNV7-55CBTcuuvKjTje-AnKLDoG4S0A_Jeg4lSQK5V_Q4f6JVqp5Vj_ge86YkRZEv4m1bjKRY4N17SHobwuH8Hc_kAugFIlG1LIDHnrm1N7ZWIqo3fVlnVqgSstmvFXAhBazgs1UYRi3hPjPM6e1q1i2N1mIUbxLvG41frGo2QJ8W5J3buUjzs-0y250k-YkadKAR0

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.820000180714897
Encrypted:	false
SSDEEP:	3:SVzHL3phUmWRDNKydvgHVz:SBHLLUmWRbCp
MD5:	BBEC7670A2519FEB0627F17D0C0B5276
SHA1:	9C30B996F1B069F86EF7C0136DFAF7E614674DEA
SHA-256:	670A6F6BBADAB2C2BE63898525FCAF72E7454739E77C04D120BC1A46B6694CAC
SHA-512:	1ED4ED6AE2A2CBE86F9E8C6C7A2672EBB2F37DBE83D2BF09D875DB435ED63BF5F5CF60CA846865166F9A498095F6D61BD51B0A092E097430439E8A5A3A14CB15
Malicious:	false
Reputation:	low
Preview:	1.03cccbb22b17080279ea1707c9ab093c59f4f4dd09580c841cfa794cb372228d

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.462192586591686
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1kULJVPY:F6VlM8aRWpqS1kSJVg
MD5:	084E339C0C9FE898102815EAC9A7CDEA
SHA1:	6ABF7EAAA407D2EAB8706361E5A2E5F776D6C644
SHA-256:	52CD62F4AC1F9E7D7C4944EE111F84A42337D16D5DE7BE296E945146D6D7DC15
SHA-512:	0B67A89F3EBFF6FEC3796F481EC2AFBAC233CF64FDC618EC6BA1C12AE125F28B27EE09E8CD0FADB8F6C8785C83929EA6F751E0DDF592DD072AB2CF439BD28534
Malicious:	false
Reputation:	low
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.11.8.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9817
Entropy (8bit):	4.629347296880043
Encrypted:	false
SSDEEP:	96:Mon4mvC4qX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJl:v5C4ql7BkIVmtRTGXvcxBsl
MD5:	8C702C686B703020BC0290BAFC90D7A0
SHA1:	EB08FF7885B4C1DE3EF3D61E40697C0C71903E27
SHA-256:	97D9E39021512305820F27B9662F0351E45639124F5BD29F0466E9072A9D0C62
SHA-512:	6137D0ED10E6A27924ED3AB6A0C5F9B21EB0E16A876447DADABD88338198F31BB9D89EF8F0630F4573EA34A24FB3FD3365D7EA78A97BA10028A0758E0A550739
Malicious:	false
Reputation:	low
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://drimer.io","asso

Chrome Cache Entry: 49

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 150 x 150
Category:	downloaded
Size (bytes):	28734
Entropy (8bit):	7.8077807745284025
Encrypted:	false
SSDEEP:	384:UxlLWq+6vfsW6U1vktguTl4tJZJZJZJZJZJZJZJZJZJi:YlZXx6U1yLiD/////////i
MD5:	F7B96290E8D578DB1823DF99421A9576
SHA1:	585C9ECCA33778C7BAB04E60F94F6E8729C9F41E
SHA-256:	E2606DA21A3140A5D1BB7FBFC46253CC198F9A6AFDCD44BCCB7A57986249D486
SHA-512:	B40AD28FBF3CC2287D8B07E2B8E2391EEF984259BA8F80E8B2E4FC7FF22440FDD921E7D390FD32C3F85D2ACB8D1D28D6D46E991E653C0D0C9C28CA88DF7D7F6A
Malicious:	false
Reputation:	low
URL:	https://merge-d78e7.web.app/mail-merge-for-gmail.gif
Preview:	GIF89a.....-...^..\..\..]..]..^..^..\..]..^..^#.g$.g#.h2.qA.{P.._..^..m.m.\|.\|.{.\|...........................................................................................................!.......!..ImageMagick.gamma=0.45455.,...........@.pH,...r.l:..tJ.Z..v..z..xL....z.n... ......~......z..`.......[.....\|Y.....V....uU.....T....R...\|.Q....P....P........N..O..............{...v....................................Ul.3....L(o....6... .Co.X...".i.{I.H2E.v... I...&...$Y.%.q.fr\q.].Jk2unt.....B[.,zS...<...V....B.64:....U..]...3.$?...E.c!K9.1s.U.:/,..inR.u<$%[.g.....T..m...bB.X..;.I.k...;%..0..T].V.n.B.;..B.%....-DT.#6/g.....mbw..c..M.....&....0.R.2..h8...:g.p.7....&.,.Rs.+......uN.T.m.Z.w..-.I....Hl3..Km\|,..L"...v..F..z,..e..A".P....#t%..%.....#..e.eR^u...H.,. .'..V.}..H...P. m6"..P.<X..N..R.A...Z..@F2B].&...%(&.}:.HP..hIR......-0...:....x...., .....".\F9..Q.!..B>.V...`......v@...i.&T........Z..S.J..v.............,...x......+.+.`.....i.(t.....z,It

Chrome Cache Entry: 50

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	2001
Entropy (8bit):	4.411649720639716
Encrypted:	false
SSDEEP:	24:hYepYuOBbRdE6gJ4HHMpvwYVer6Fyh2xaFL8kMaF0FYLfQQLCwE+dtaJXEP5KhoY:JabiJZwaoFLkaxE2aJXy5+oY
MD5:	B995018A2BDBB7BCDFA8918E9DD24733
SHA1:	8992C8A646A0BB267BAC866DFF7B9E08E762F61C
SHA-256:	C3CCEAC8CE333BE28C40B9C0BE7FE4F0C70C70C5D49178AA41FB4FDAC7CA73E3
SHA-512:	73C18A135466BE60BA0626860F1553DE6224E4022E5076FD292175B5FC6FF86C00CD56275486579679256691B8C7F70E22917BDC40E18EB5765F7A72044115A3
Malicious:	false
Reputation:	low
URL:	https://merge-d78e7.web.app/favicon.ico
Preview:	<!DOCTYPE html>.<html>. <head>. <meta charset="utf-8" />. <meta name="viewport" content="width=device-width, initial-scale=1" />. <title>Page Not Found</title>.. <style media="screen">. body {. background: #eceff1;. color: rgba(0, 0, 0, 0.87);. font-family: Roboto, Helvetica, Arial, sans-serif;. margin: 0;. padding: 0;. }.. #message {. background: white;. max-width: 360px;. margin: 100px auto 16px;. padding: 32px 24px 16px;. border-radius: 3px;. }.. #message h3 {. color: #888;. font-weight: normal;. font-size: 16px;. margin: 16px 0 12px;. }.. #message h2 {. color: #ffa100;. font-weight: bold;. font-size: 16px;. margin: 0 0 8px;. }.. #message h1 {. font-size: 22px;. font-weight: 300;. color: rgba(0, 0, 0, 0.6);. margin: 0 0 16px;. }.. #message p {. line-height:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 10:52:01.318214893 CET	49675	443	192.168.2.4	173.222.162.32
Jan 8, 2025 10:52:10.927721024 CET	49675	443	192.168.2.4	173.222.162.32
Jan 8, 2025 10:52:15.185215950 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.185236931 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.185523987 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.185523987 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.185553074 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.845576048 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.845813990 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.845824003 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.846837997 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.846894026 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.848129988 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.848205090 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.894915104 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:15.894925117 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:15.941802979 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:16.784754992 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:16.784789085 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:16.784878016 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:16.785670042 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:16.785713911 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:16.785810947 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:16.786031008 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:16.786046028 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:16.786577940 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:16.786592007 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.253165960 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.253417015 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.253448963 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.254441023 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.254539013 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.259407997 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.259473085 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.259787083 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.259798050 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.265489101 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.265702963 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.265722036 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.266719103 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.266855001 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.267148018 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.267204046 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.304646969 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.320473909 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.320483923 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.355837107 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356349945 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356426954 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356587887 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356591940 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.356610060 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356641054 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.356673002 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356713057 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356741905 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.356746912 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.356827974 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.357355118 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.357423067 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.357511997 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.357547045 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.357552052 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.359787941 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.367539883 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.371711016 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.421816111 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.444982052 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445070982 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445106030 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445149899 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445174932 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.445180893 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445209026 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445221901 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.445271969 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.445430040 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445791960 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445858002 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.445861101 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.446011066 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.446693897 CET	49739	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.446710110 CET	443	49739	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.455588102 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.503339052 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.648989916 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.649076939 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.649158001 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:17.649264097 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.649979115 CET	49740	443	192.168.2.4	199.36.158.100
Jan 8, 2025 10:52:17.649995089 CET	443	49740	199.36.158.100	192.168.2.4
Jan 8, 2025 10:52:25.754160881 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:25.754264116 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:25.754373074 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:27.430341005 CET	49737	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:52:27.430373907 CET	443	49737	172.217.18.4	192.168.2.4
Jan 8, 2025 10:52:27.479408026 CET	49723	80	192.168.2.4	199.232.214.172
Jan 8, 2025 10:52:27.484528065 CET	80	49723	199.232.214.172	192.168.2.4
Jan 8, 2025 10:52:27.484599113 CET	49723	80	192.168.2.4	199.232.214.172
Jan 8, 2025 10:53:12.609282017 CET	57290	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:53:12.614092112 CET	53	57290	1.1.1.1	192.168.2.4
Jan 8, 2025 10:53:12.614151955 CET	57290	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:53:12.618998051 CET	53	57290	1.1.1.1	192.168.2.4
Jan 8, 2025 10:53:13.067567110 CET	57290	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:53:13.072664022 CET	53	57290	1.1.1.1	192.168.2.4
Jan 8, 2025 10:53:13.072735071 CET	57290	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:53:15.240720034 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:15.240740061 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:15.240828037 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:15.241092920 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:15.241102934 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:15.900523901 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:15.901420116 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:15.901431084 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:15.901814938 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:15.902825117 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:15.902889967 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:15.957989931 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:16.645885944 CET	49724	80	192.168.2.4	199.232.210.172
Jan 8, 2025 10:53:16.650868893 CET	80	49724	199.232.210.172	192.168.2.4
Jan 8, 2025 10:53:16.650930882 CET	49724	80	192.168.2.4	199.232.210.172
Jan 8, 2025 10:53:25.802968025 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:25.803040981 CET	443	57309	172.217.18.4	192.168.2.4
Jan 8, 2025 10:53:25.803095102 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:27.428577900 CET	57309	443	192.168.2.4	172.217.18.4
Jan 8, 2025 10:53:27.428620100 CET	443	57309	172.217.18.4	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 10:52:10.658651114 CET	53	50247	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:10.672141075 CET	53	59749	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:11.728722095 CET	53	56903	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:15.177313089 CET	54354	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:52:15.177313089 CET	61916	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:52:15.184035063 CET	53	61916	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:15.184238911 CET	53	54354	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:16.766043901 CET	61193	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:52:16.766043901 CET	58937	53	192.168.2.4	1.1.1.1
Jan 8, 2025 10:52:16.773025036 CET	53	61193	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:16.784204006 CET	53	58937	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:28.229998112 CET	138	138	192.168.2.4	192.168.2.255
Jan 8, 2025 10:52:28.638206959 CET	53	60421	1.1.1.1	192.168.2.4
Jan 8, 2025 10:52:47.341201067 CET	53	60745	1.1.1.1	192.168.2.4
Jan 8, 2025 10:53:10.266460896 CET	53	56127	1.1.1.1	192.168.2.4
Jan 8, 2025 10:53:10.566432953 CET	53	59292	1.1.1.1	192.168.2.4
Jan 8, 2025 10:53:12.608926058 CET	53	52606	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 10:52:15.177313089 CET	192.168.2.4	1.1.1.1	0xbbd1	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:52:15.177313089 CET	192.168.2.4	1.1.1.1	0xf644	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 8, 2025 10:52:16.766043901 CET	192.168.2.4	1.1.1.1	0xa169	Standard query (0)	merge-d78e7.web.app	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:52:16.766043901 CET	192.168.2.4	1.1.1.1	0xed70	Standard query (0)	merge-d78e7.web.app	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 10:52:15.184035063 CET	1.1.1.1	192.168.2.4	0xf644	No error (0)	www.google.com		65	IN (0x0001)	false
Jan 8, 2025 10:52:15.184238911 CET	1.1.1.1	192.168.2.4	0xbbd1	No error (0)	www.google.com	172.217.18.4	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:52:16.773025036 CET	1.1.1.1	192.168.2.4	0xa169	No error (0)	merge-d78e7.web.app	199.36.158.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

merge-d78e7.web.app

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	199.36.158.100	443	1460	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:52:17 UTC	686	OUT	GET /mail-merge-for-gmail.gif HTTP/1.1 Host: merge-d78e7.web.app Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-08 09:52:17 UTC	592	IN	HTTP/1.1 200 OK Connection: close Content-Length: 28734 Cache-Control: max-age=3600 Content-Type: image/gif Etag: "e5e80ffc2736c70f471d1712b9c543b3c482e7f6cc275670c10325c5cf3a5205" Last-Modified: Thu, 25 Aug 2022 21:36:57 GMT Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:52:17 GMT X-Served-By: cache-ewr-kewr1740022-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1736329937.312250,VS0,VE1 Vary: x-fh-requested-host, accept-encoding alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 47 49 46 38 39 61 96 00 96 00 f5 2d 00 13 9f 5e 14 9f 5c 15 9f 5c 14 9f 5d 16 9f 5d 14 9f 5e 15 9f 5e 15 a0 5c 15 a0 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 41 b2 7b 50 b8 85 5f be 8f 5e be 90 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 98 d6 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 db c3 a7 dc c2 b6 e1 cc b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e1 e1 f3 eb e2 f3 eb e2 f4 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 f9 04 0d 03 00 2e 00 21 ff 0b 49 6d 61 67 65 4d 61 67 69 63 6b 0d 67 61 6d 6d 61 3d 30 2e 34 35 34 35 35 00 2c 00 00 00 00 96 00 96 00 00 06 fe 40 Data Ascii: GIF89a-^\\]]^^\]^^#g$g#h2qA{P_^mm\|\|{\|!.!ImageMagickgamma=0.45455,@
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 2e 34 35 34 35 35 00 2c 00 00 00 00 96 00 96 00 85 13 9f 5e 14 9f 5c 15 9f 5c 14 9f 5d 16 9f 5d 14 9f 5e 15 9f 5e 15 a0 5c 15 a0 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 40 b2 7b 41 b2 7b 50 b8 85 5f be 8f 5e be 90 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 db c3 a7 dc c2 a8 dc c3 b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e1 e1 f3 eb e2 f3 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fe c0 96 70 48 2c 1a 8f c8 a4 72 c9 6c 3a 9f d0 a8 74 4a ad 5a af d8 ac 76 cb ed 7a bf e0 b0 78 4c 2e 9b cf e8 b4 7a cd 6e bb df f0 b4 Data Ascii: .45455,^\\]]^^\]^^#g$g#h2q@{A{P_^mm\|\|{\|pH,rl:tJZvzxL.zn
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 15 9f 5e 15 a0 5c 15 a0 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 40 b2 7b 41 b2 7b 50 b8 85 5e be 90 5f be 90 6d c3 99 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 98 d6 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 db c3 a7 dc c2 a8 db c3 b6 e1 cc b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e0 d3 ed e1 d3 ee e0 e1 f3 eb e2 f3 eb e2 f4 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fe c0 99 70 48 2c 1a 8f c8 a4 72 c9 6c 3a 9f d0 a8 74 4a ad 5a af d8 ac 76 cb ed 7a bf e0 b0 78 4c 2e 9b cf e8 b4 7a cd 6e bb df f0 b4 20 81 a8 db ef f8 bc 7e cf ef fb ff 80 81 7a 0a 08 60 82 87 88 89 8a 8b 87 5b 8c 8f 90 91 92 7c 59 93 96 Data Ascii: ^\]^^#g$g#h2q@{A{P^_mmm\|\|{\|pH,rl:tJZvzxL.zn ~z`[\|Y
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 40 b2 7b 41 b2 7b 50 b8 85 5f be 8f 5e be 90 6d c3 99 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 98 d6 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 db c3 a7 dc c2 b6 e1 cc b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e0 d3 ed e1 d3 ee e0 d3 ee e1 e1 f3 eb e2 f3 eb e2 f4 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fe c0 99 70 48 2c 1a 8f c8 a4 72 c9 6c 3a 9f d0 a8 74 4a ad 5a af d8 ac 76 cb ed 7a bf e0 b0 78 4c 2e 9b cf e8 b4 7a cd 6e bb df f0 b4 20 81 a8 db ef f8 bc 7e cf ef fb ff 80 81 7a 0a 08 60 82 87 88 89 8a 8b 87 5b 8c 8f 90 91 92 7c 59 93 96 97 98 8d 56 99 9c 9d 9e 75 55 02 9f a3 Data Ascii: ^#g$g#h2q@{A{P_^mmm\|\|{\|pH,rl:tJZvzxL.zn ~z`[\|YVuU
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 41 b2 7b 50 b8 85 5f be 8f 5e be 90 5f be 90 6d c3 99 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 98 d6 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 dc c2 b6 e1 cc b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e1 d3 ee e0 e1 f3 eb e2 f3 eb e2 f4 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fe 40 98 70 48 2c 1a 8f c8 a4 72 c9 6c 3a 9f d0 a8 74 4a ad 5a af d8 ac 76 cb ed 7a bf e0 b0 78 4c 2e 9b cf e8 b4 7a cd 6e bb df f0 b4 20 81 a8 db ef f8 bc 7e cf ef fb ff 80 81 7a 0a 08 60 82 87 88 89 8a 8b 87 5b 8c 8f 90 91 92 7c 59 93 96 97 98 8d 56 99 9c 9d 9e Data Ascii: ]^^#g$g#h2qA{P_^_mmm\|\|{\|@pH,rl:tJZvzxL.zn ~z`[\|YV
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 4d 61 67 69 63 6b 0d 67 61 6d 6d 61 3d 30 2e 34 35 34 35 35 00 2c 00 00 00 00 96 00 96 00 85 13 9f 5e 14 9f 5c 15 9f 5c 14 9f 5d 16 9f 5d 14 9f 5e 15 9f 5e 15 a0 5c 15 a0 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 40 b2 7b 41 b2 7b 50 b8 85 5f be 8f 5e be 90 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b c9 a4 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 98 d6 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 db c3 a7 dc c2 b6 e1 cc b6 e1 cd b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e1 e1 f3 eb e2 f3 eb e2 f4 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fe c0 98 70 48 2c 1a 8f c8 a4 72 c9 6c 3a 9f d0 a8 74 4a ad 5a af d8 ac 76 cb ed 7a bf e0 b0 Data Ascii: Magickgamma=0.45455,^\\]]^^\]^^#g$g#h2q@{A{P_^mm\|\|{{\|pH,rl:tJZvz
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 23 28 85 00 6c f0 7a 55 f0 e0 07 1f a1 85 11 2e a2 0b 26 14 84 18 0a 90 42 3c 08 20 0e 30 8c a1 0c 67 48 c3 1a da f0 86 38 cc a1 0e 77 c8 c3 1e fa f0 87 40 14 43 10 00 00 21 f9 04 0d 03 00 32 00 21 ff 0b 49 6d 61 67 65 4d 61 67 69 63 6b 0d 67 61 6d 6d 61 3d 30 2e 34 35 34 35 35 00 2c 00 00 00 00 96 00 96 00 85 13 9f 5e 14 9f 5c 15 9f 5c 14 9f 5d 16 9f 5d 14 9f 5e 15 9f 5e 15 a0 5c 15 a0 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 40 b2 7b 41 b2 7b 50 b8 85 5f be 8f 5e be 90 5f be 90 6d c3 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 7c ca a4 8a cf ae 8a d0 ae 98 d5 b8 99 d5 b8 98 d6 b8 99 d6 b8 99 d6 b9 a7 db c2 a7 db c3 a7 dc c2 a8 dc c3 b6 e1 cc b6 e2 cc c4 e7 d6 c4 e8 d6 d3 ed e1 d3 ee e0 e1 f3 eb e2 f3 eb e2 f4 eb f0 f9 f5 f1 f9 f5 ff ff ff 00 Data Ascii: #(lzU.&B< 0gH8w@C!2!ImageMagickgamma=0.45455,^\\]]^^\]^^#g$g#h2q@{A{P_^_mm\|\|{\|
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: f8 7d 8c 4f 3e 37 dd 9f 6f 67 fa ea ab cc 7c fb 6a b1 0f bf 29 f2 cf 5f 6b fd f6 2f 62 7e fe fb db df ff fc ff 6b 9f 01 9e 40 88 fc bd 82 18 4d 18 80 01 9d 02 8c 05 a2 a6 81 0e 2c 05 01 64 11 41 eb e1 af 82 94 98 02 06 bf 07 85 00 6c b0 53 53 f0 e0 07 dd b7 89 11 d2 cf 11 26 54 84 18 0a 90 c2 3e 08 20 0e 30 8c a1 0c 67 48 c3 1a da f0 86 38 cc a1 0e 77 c8 c3 1e fa f0 87 40 14 43 10 00 00 21 f9 04 0d 03 00 31 00 21 ff 0b 49 6d 61 67 65 4d 61 67 69 63 6b 0d 67 61 6d 6d 61 3d 30 2e 34 35 34 35 35 00 2c 00 00 00 00 96 00 96 00 85 13 9f 5e 14 9f 5c 15 9f 5c 14 9f 5d 16 9f 5d 14 9f 5e 15 9f 5e 15 a0 5c 15 a0 5d 15 a0 5e 16 a0 5e 23 a6 67 24 a6 67 23 a6 68 32 ac 71 40 b2 7b 41 b2 7b 50 b8 85 5f be 8f 5e be 90 5f be 90 6d c4 99 6d c4 9a 7c c9 a3 7c ca a3 7b ca a4 Data Ascii: }O>7og\|j)_k/b~k@M,dAlSS&T> 0gH8w@C!1!ImageMagickgamma=0.45455,^\\]]^^\]^^#g$g#h2q@{A{P_^_mm\|\|{
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: ae 79 2f 5b 4b 96 b9 b6 cb 4c 69 d6 d5 ac a4 2b de 09 04 4b 4d fe 8e ed 9d 8c 2d 11 57 94 f3 de 89 ec 2f a1 60 8e f0 12 fa 09 3c d6 ab 0b d3 3a 4a 01 33 0f bb 34 23 a0 f4 f2 33 a5 3f 12 f2 f5 d8 23 2f e3 07 3c 8f 5e 7b f3 6f cb 44 7e f9 5d 9d 8f 3e 5d ea af 2f dc f4 ee 5b e4 7d fc 8b 64 4f 3f 37 f3 df bf 4a fe fa 0b 62 7f ff 77 f8 1f 00 e1 d6 be 01 da 0b 7e 06 dc 0f 02 13 48 a2 05 32 30 4b 03 7b 20 fb 1c 28 c1 4c 18 e0 09 84 a8 60 29 88 d1 84 01 68 50 35 c0 f8 20 04 29 28 42 48 10 40 16 25 bc 13 0a 53 28 30 01 c6 af 0a 01 60 a1 ab 60 28 43 68 54 a2 86 8a e8 02 0e fd 17 86 02 ec 10 0f 02 88 83 10 87 48 c4 22 1a f1 88 48 4c a2 12 97 c8 c4 26 3a f1 89 50 8c a2 14 c5 10 04 00 21 f9 04 0d 03 00 31 00 21 ff 0b 49 6d 61 67 65 4d 61 67 69 63 6b 0d 67 61 6d 6d 61 Data Ascii: y/[KLi+KM-W/`<:J34#3?#/<^{oD~]>]/[}dO?7Jbw~H20K{ (L`)hP5 )(BH@%S(0``(ChTH"HL&:P!1!ImageMagickgamma
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 42 33 e5 42 d1 47 8b b3 f5 1d 19 b0 86 32 06 2b c7 33 f6 1d 0e f4 84 92 0a 1f 58 10 b6 1d 69 6f b3 36 1e dd 4a 60 81 04 11 d4 9d 99 06 25 40 24 c2 3a 77 2b 8a 71 c3 5a 53 4d 8a 8e 5f 22 9b 8e e2 a3 30 b5 e9 37 85 1f e2 5c 51 4b 53 0e f9 27 0e 64 fc 9f 39 9b 53 cc 14 7c 53 8f 9c 8b c1 1e 3a fe 4e e8 9f 3c dc 6c e9 40 1f f3 b1 d4 48 aa cb c3 ba d3 19 f3 c8 ce ed 9f 94 ed 93 bf d3 54 be 48 b5 c0 ef 6e 7a 2f 9d db f4 b2 f1 b1 2f e3 3b 4a 7e db 7e bc 2f 2d 8f 0a 7b d3 d6 f8 ea f3 f5 13 fb c5 c1 07 18 cc cd 3c f6 0d 49 df 7c f9 f8 f0 8e be c8 e7 af 5f 91 fa ee 7f 3a 7d fc e0 25 41 7f 3d f0 df 0f 4d fe fa 33 22 7c ff dc e0 1f 00 a9 21 c0 01 6a 62 7e 06 94 98 fd 12 88 94 f6 31 90 69 dd 7b 60 2a 0c f0 04 42 48 30 15 c4 68 c2 00 2e 58 bf 08 72 50 4d c0 f8 e0 27 08 Data Ascii: B3BG2+3Xio6J`%@$:w+qZSM_"07\QKS'd9S\|S:N<l@HTHnz//;J~~/-{<I\|_:}%A=M3"\|!jb~1i{`*BH0h.XrPM'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	199.36.158.100	443	1460	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:52:17 UTC	618	OUT	GET /favicon.ico HTTP/1.1 Host: merge-d78e7.web.app Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://merge-d78e7.web.app/mail-merge-for-gmail.gif Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-08 09:52:17 UTC	615	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 2001 Cache-Control: max-age=3600 Content-Type: text/html; charset=utf-8 Etag: "ea702d5454be80ff40345edff43e1aac085c1c2145f6315b87465870ac2f41ef" Last-Modified: Thu, 25 Aug 2022 21:36:57 GMT Strict-Transport-Security: max-age=31556926; includeSubDomains; preload Accept-Ranges: bytes Date: Wed, 08 Jan 2025 09:52:17 GMT X-Served-By: cache-ewr-kewr1740059-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736329938.506934,VS0,VE94 Vary: x-fh-requested-host, accept-encoding alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
2025-01-08 09:52:17 UTC	1378	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 65 63 65 66 66 31 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Page Not Found</title> <style media="screen"> body { background: #eceff1; color:
2025-01-08 09:52:17 UTC	623	IN	Data Raw: 33 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 2c 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 34 29 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 23 6c 6f 61 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 34 29 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 33 70 78 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 0a 20 20 20 20 20 20 20 20 23 6d 65 73 73 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 6d 61 Data Ascii: 3px rgba(0, 0, 0, 0.12), 0 1px 2px rgba(0, 0, 0, 0.24); } #load { color: rgba(0, 0, 0, 0.4); text-align: center; font-size: 13px; } @media (max-width: 600px) { body, #message { ma

Target ID:	0
Start time:	04:52:05
Start date:	08/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	04:52:09
Start date:	08/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2000,i,13647905409609027287,17222081618246682658,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:52:16
Start date:	08/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://merge-d78e7.web.app/mail-merge-for-gmail.gif"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: global traffic	HTTP traffic detected: GET /mail-merge-for-gmail.gif HTTP/1.1Host: merge-d78e7.web.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: merge-d78e7.web.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://merge-d78e7.web.app/mail-merge-for-gmail.gifAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: merge-d78e7.web.app

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://merge-d78e7.web.app/mail-merge-for-gmail.gif

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1440_473909668\sets.json

Chrome Cache Entry: 49

Chrome Cache Entry: 50

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 1440, Parent PID: 5496

General

Chronological Activities

Analysis Process: chrome.exePID: 1460, Parent PID: 1440

General

Chronological Activities

Analysis Process: chrome.exePID: 6524, Parent PID: 5496

General

Windows Analysis Report
https://merge-d78e7.web.app/mail-merge-for-gmail.gif