Click to jump to signature section
| Source: 0.5.id.script.csv | Joe Sandbox AI: Detected suspicious JavaScript with source url: https://dkjndlsknld-secondary.z13.web.core.windows... This script exhibits several high-risk behaviors, including data exfiltration, dynamic code execution, and redirection to a suspicious domain. The script extracts the user's email from the URL hash, validates it, and then constructs a dynamic URL with the email parameter and 10 random numbers before a base64-encoded domain. This URL is then used to redirect the user, which is a common technique used in phishing and malware campaigns. Additionally, the script uses the `atob` function to decode the base64-encoded domain, which could be used to hide the true destination of the redirect. Overall, the combination of these behaviors suggests a high risk of malicious intent. |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Proxy from: www.applyweb.com/shibboleth/shibboleth.sso/logout?return=https://sharingforsharepoint.z13.web.core.windows.net/ to https://sharingforsharepoint.z13.web.core.windows.net/ |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Proxy from: www.applyweb.com/shibboleth/shibboleth.sso/logout?return=https://sharingsharepoinonline.z13.web.core.windows.net/ to https://sharingsharepoinonline.z13.web.core.windows.net/ |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Proxy from: www.applyweb.com/shibboleth/shibboleth.sso/logout?return=https://dkjndlsknld-secondary.z13.web.core.windows.net/ to https://dkjndlsknld-secondary.z13.web.core.windows.net/ |
| Source: https://d3.kihnccf7.sa.com/?t=scott%40lcatterton.com&gclid=EAIaIQobChMIiMTQotWhiQMVAEgdCR0rHgdmEAEYASAAEgIlb_D_BwE&dclid=CNaO6uyo7ooDFeeT_QcdKscRAA | HTTP Parser: scott@lcatterton.com |
| Source: https://dkjndlsknld-secondary.z13.web.core.windows.net/ | HTTP Parser: Number of links: 0 |
| Source: https://dkjndlsknld-secondary.z13.web.core.windows.net/ | HTTP Parser: Base64 decoded: d3.kihnccf7.sa.com |
| Source: https://dkjndlsknld-secondary.z13.web.core.windows.net/ | HTTP Parser: Title: Microsoft SharePoint - Verify Identity does not match URL |
| Source: https://sharedocsonline.z13.web.core.windows.net/ | HTTP Parser: No favicon |
| Source: https://dkjndlsknld-secondary.z13.web.core.windows.net/ | HTTP Parser: No favicon |
| Source: https://dkjndlsknld-secondary.z13.web.core.windows.net/ | HTTP Parser: No <meta name="author".. found |
| Source: https://dkjndlsknld-secondary.z13.web.core.windows.net/ | HTTP Parser: No <meta name="copyright".. found |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries | Jump to behavior |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Redirect from: ejfv5thbb.cc.rs6.net to https://t.co/iqdaflvdcf |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Redirect from: ib.adnxs.com to https://daimler-bkk.portal-gesundheitonline.de/index.php?itemid=107&kategorie_id=183&layout=startseite&option=com_bkk&type=teaser_rauchfrei&view=service&redirect=https://federation.nih.gov/shibboleth.sso/logout?return=https://federation.nih.gov/shibboleth.sso/logout?return=https://www.applyweb.com/shibboleth/shibboleth.sso/logout?return=https://sharingforsharepoint.z13.web.core.windows.net/ |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Redirect from: www.applyweb.com to https://sharingforsharepoint.z13.web.core.windows.net/ |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Redirect from: www.applyweb.com to https://sharingsharepoinonline.z13.web.core.windows.net/ |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Redirect from: www.applyweb.com to https://dkjndlsknld-secondary.z13.web.core.windows.net/ |
| Source: C:\Program Files\Google\Chrome\Application\chrome.exe | HTTP traffic: Redirect from: ad.doubleclick.net to https://d3.kihnccf7.sa.com/?t=scott%40lcatterton.com&gclid=eaiaiqobchmiimtqotwhiqmvaegdcr0rhgdmeaeyasaaegilb_d_bwe&dclid=cnao6uyo7oodfeet_qcdkscraa |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.203 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.189.173.10 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.211.108 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.221.95 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 40.126.31.73 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 192.229.221.95 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 40.126.31.73 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 40.126.31.73 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 40.126.31.73 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: global traffic | HTTP traffic detected: GET /s/si15COYvJJSRLD3svhDSGbOPs?domain=ejfv5thbb.cc.rs6.net HTTP/1.1Host: url.us.m.mimecastprotect.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
| Source: global traffic | HTTP traffic detected: GET /r/67e8Rdlv6hOLmD0eRP7NxGF3qu7ndUH7SYUhCUgfCbazS7XYT33-FTyxMAc0h8bHNxFkqjRDu_r0p-zlHBHgeHprfmjBPAdYKaPcpRGlSufx48om5yKyby7kdNkzPqfI6WPqVK6lMLi_odnZ-_koHYnfuHaviDx-FNnzOg6EkVmlZGAkVwkpjo1tb_wF_yh7HzwS1bKNLCas-DiE6Lp-Yr__xpNdPb8KB-tqvj5NYGdVItmAFcxDhYFrODOybq-NY4G_ZyZUGg7ua2vALWgE7GiT_mG7gaMcai6eE30lXdSXL40RLuGy3UgTnayLpN0Un0e_7b_sbQuNaTtqReCAbh5WveLZl_Jg72bRvpMPbLCozuekj7L22bUqE6xIqGBLVxpb5Fqyu9y2xEFgtBNdRa65wGKLgYvig38hhvmqGYMHD1Xl8mWkeCX_MI9MVmFenKUXb_cfF0zeperPGT50Wo8zNZPYGsf2XTtq2Wa4b5lfHD8yaeYE78ObEs8cyUZx4ZbW0Rv1lFDhMKbAr77EFzxLCjEfssmLOs6Y8uprtQtbfBYRHh6LleFSF-pCGN5Ow4ulMwPJf81paGwSiQ0NgXMyolC2JliVSQ_cRUZiF5B2xh7TalJFWrpCd4bBLT6MH476reouHkjWk1P7rZXM_DcUWjvO8WtM7AHlayTe5q0-oKFRc-kYBS3EpwkkZwE8BuxobtYMr-3VdL7oMN3tlhSrWnjiKAwnNaODwb1gEqiz07z0kfWg_-s8qm0soOjSdOFiX0f42muF7IAq48xoP2wY1acsyncgaMxj8V57tQZ9B0WrPL7a436C0sdi-8npEibWstQgj4FvRXcxx7aTzcdmQUXETOhgaS832M7-wz0FM-21ElmqFE6rDx4CK_5u1QM_ptv_70Ykrd_zpt1ssdXkoNLRGzJmT6aX7kQDf-8rl8OKtqYy1lk3K6jp2bt-2_423GiHdELheFP5spRuJP-11L-2e8TgzXkiex-6gnloQgP2iTDMLRQeaax_x2mA-WJtz0l0hQ7Jxsg54TV4JnMrut6pJPKTK-cu3P5d7LWUKvOLm-mhlBmAGvQ1GFotsMGAQCHegQdlolEw8s5Ar_ZqSUtm95cAoLSnsnf1C2whnVpE2dsbvuU52_nzAJw1yEAuUfqzVUbap0_kxpDuoCa_TmB685dzphAGj0Kw2pP2PSj2rD3IeK6SrC_dmXThFdvmtP2QbkLPV4HHrY0dwza80Vv2d5NwFNv-dPhpO_kpiUuAwZ2TI9ybFFiWC5bA9HnW4EIOI5dt8jUOnSdbghdq0OmSCPn2wYkIINgcmbNtSQ5HINx0VkDA-qLd3-JaTswmNu0IbPGebLEhSLwwJBBJSAWyK9FC4EUw-wsbVVfIm9BpgMdRvcpHB6rIJ7XiIqWIIC2OKDGuwtl6rCL6ycXqJcMB77XwyApXYws3pDmy1EtbUQ_t8vAefq7NGb2Pl36FY17KCqv4sQC1JJAJqbqUYczIhiVb9hzW0mPQ1wqu8JYcKRyGw7qov8MYc9AFBlR7zrJUIRPlErO0GPzZLq61kSoso1rgvZm2uCb_mE_AG7sGZGWg-ApZ-FYqYrtbc_eS2A6h0aEHUoUWeWVveCsqkaAsxEQ5tavNP8AsXBF8lpTjpIZ6glhzGHKvdf-mz9nUEO5CN3tQi1pNz4WzJDNwiWDQFZLqc_hP7LIoMHMioewLcoCKL4ZslG6oqIR3x-EBOTXsgjpCzJuTE5EkdjIBhq3_WlMv252sKDhIsq2zK5DJDRMKxLAl6sYyrNvQLO0bzi0Sr03O-5jemuir7XAeth1z3p3OFOCARveQ-MDh2e5bQ1oxvLKr84TaOH61ATNCaU_fKdKYVCnVV6J6vp2Bew6F06b_7QcvCKFIUVe97sGbGH4kagq9FQjckTNWOX1cY2I7JXgiLYjVsKy6lUh_mYboEZV7wl9MnTBShCnkMB4WfU8sEPdDJuitr_mWd6Bvs_7wFI0mUqjnaha5Y8mIduuhmTswxEbnADjClHedkNcC363eaNU-X8C9o54QX0PG0iWyaAozSD570dF-dOf5lraKJ2SEdQEEDwF8KtEi2-JNyBylOe4IohV-sGyCjZQ5iUcOkPUzRxNziDgwaD-QWiwwPgFuUPfIkp-tSaOAmsxYf9VNjwFalrJvhS2KBHhQmMry4knH9nuCxZ9q7xGLlDR32AF0TMUWseeCdR29xScfXO1OFktwFhL_FsSXa4RzoL1WzXRHKLtnnrlR1LeUHxFbHStHQ0jLO1PXlBenIfll6paM3Z9M3YoJrjAxqar2UBAm79SWkORv1O0Iy7GqMs1rbGGO3DKOssJcOPc0Xm_K6sGsYv-DB1aVezIj8kE3VF9YpiE6Qrk49Oxrsg HTTP/1.1Host: url.us.m.mimecastprotect.comConnection: keep-ali |
Edit tour
chrome.exe (PID: 6304 cmdline: 
