Edit tour

Windows Analysis Report
https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com

Overview

General Information

Sample URL:https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com
Analysis ID:1641500
Infos:

Detection

HTMLPhisher, Invisible JS, Tycoon2FA
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected AntiDebug via timestamp check
Yara detected HtmlPhish44
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
AI detected suspicious Javascript
HTML page contains hidden javascript code
URL contains potential PII (phishing indication)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • chrome.exe (PID: 5256 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: DBE43C1D0092437B88CFF7BD9ABC336C)
    • chrome.exe (PID: 2552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1888,i,10021072340321718718,9143250558876863238,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=1988 /prefetch:11 MD5: DBE43C1D0092437B88CFF7BD9ABC336C)
  • chrome.exe (PID: 6640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com" MD5: DBE43C1D0092437B88CFF7BD9ABC336C)
  • cleanup
SourceRuleDescriptionAuthorStrings
dropped/chromecache_60JoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    SourceRuleDescriptionAuthorStrings
    0.2.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
      0.2.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
        0.1.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
          0.1.d.script.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security
            0.6..script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
              Click to see the 6 entries
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comAvira URL Cloud: detection malicious, Label: malware
              Source: https://nr2.vesuperw.ru/IDnh/Avira URL Cloud: Label: malware

              Phishing

              barindex
              Source: Yara matchFile source: dropped/chromecache_60, type: DROPPED
              Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
              Source: Yara matchFile source: 0.0.pages.csv, type: HTML
              Source: Yara matchFile source: 0.1.pages.csv, type: HTML
              Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
              Source: Yara matchFile source: 0.0.pages.csv, type: HTML
              Source: Yara matchFile source: 0.1.pages.csv, type: HTML
              Source: Yara matchFile source: 0.2.d.script.csv, type: HTML
              Source: Yara matchFile source: 0.6..script.csv, type: HTML
              Source: Yara matchFile source: 0.0.pages.csv, type: HTML
              Source: Yara matchFile source: 0.1.pages.csv, type: HTML
              Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://nr2.vesuperw.ru/IDnh/... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `atob` and `decodeURIComponent` to decode and execute remote code is a clear indicator of malicious intent. Additionally, the script appears to be sending data to an untrusted domain, which further increases the risk. Overall, this script exhibits a high level of suspicion and should be treated as a potential security threat.
              Source: 0.1.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... The script uses dynamic code execution via eval, which is a high-risk indicator. It also contains obfuscated code, another high-risk indicator. The combination of these behaviors suggests a high potential for malicious activity.
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comHTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Office 365 Documentation</title> <style> body { font-family: Arial, sans-serif...
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comSample URL: PII: Dkeyaccount@foster-uk.com
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.24:60830 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.24:60829 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 151.101.130.137:443 -> 192.168.2.24:60833 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.24:60834 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.24:60835 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.24:60838 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.24:60839 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.3.189:443 -> 192.168.2.24:60840 version: TLS 1.2
              Source: chrome.exeMemory has grown: Private usage: 6MB later: 36MB
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /IDnh/ HTTP/1.1Host: nr2.vesuperw.ruConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /turnstile/v0/g/f3b948d8acb8/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://nr2.vesuperw.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=XQEL5o6Y9alZ55i5.xBy1bTl.WGKc2aImajzIxKVJ58-1742289592-1.0.1.1-EUOFYmWZnifvHMNzW6_I_AfNwrEzJhvFwzZsTsM9Q6X8J97kXeQkxDhB38llhV.rzppYao7uTMZUVN.sAdnMrZNfESTZizsjso0kbQ5OgsI
              Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
              Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
              Source: global trafficHTTP traffic detected: GET /r/r1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
              Source: global trafficDNS traffic detected: DNS query: nr2.vesuperw.ru
              Source: global trafficDNS traffic detected: DNS query: code.jquery.com
              Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
              Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
              Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: c.pki.goog
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60829
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60839
              Source: unknownNetwork traffic detected: HTTP traffic on port 60830 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60838
              Source: unknownNetwork traffic detected: HTTP traffic on port 60839 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60840
              Source: unknownNetwork traffic detected: HTTP traffic on port 60835 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60838 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60837 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60840 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60833 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60834 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60837
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60835
              Source: unknownNetwork traffic detected: HTTP traffic on port 60829 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60834
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60833
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60830
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.24:60830 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.24:60829 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 151.101.130.137:443 -> 192.168.2.24:60833 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.24:60834 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.24:60835 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.24:60838 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.24:60839 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.3.189:443 -> 192.168.2.24:60840 version: TLS 1.2
              Source: classification engineClassification label: mal100.phis.evad.win@21/0@15/56
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1888,i,10021072340321718718,9143250558876863238,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=1988 /prefetch:11
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1888,i,10021072340321718718,9143250558876863238,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=1988 /prefetch:11
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: 0.2.d.script.csv, type: HTML
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              Browser Extensions
              1
              Process Injection
              1
              Process Injection
              OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Extra Window Memory Injection
              1
              Extra Window Memory Injection
              LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
              Ingress Tool Transfer
              Traffic DuplicationData Destruction

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com100%Avira URL Cloudmalware
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://nr2.vesuperw.ru/IDnh/100%Avira URL Cloudmalware
              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              199.232.214.172
              truefalse
                high
                code.jquery.com
                151.101.130.137
                truefalse
                  high
                  developers.cloudflare.com
                  104.16.5.189
                  truefalse
                    high
                    cdnjs.cloudflare.com
                    104.17.24.14
                    truefalse
                      high
                      challenges.cloudflare.com
                      104.18.94.41
                      truefalse
                        high
                        www.google.com
                        142.250.185.196
                        truefalse
                          high
                          nr2.vesuperw.ru
                          188.114.96.3
                          truetrue
                            unknown
                            pki-goog.l.google.com
                            142.250.185.67
                            truefalse
                              high
                              c.pki.goog
                              unknown
                              unknownfalse
                                high
                                NameMaliciousAntivirus DetectionReputation
                                https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.comtrue
                                  unknown
                                  https://code.jquery.com/jquery-3.6.0.min.jsfalse
                                    high
                                    https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                      high
                                      https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallbackfalse
                                        high
                                        https://developers.cloudflare.com/favicon.pngfalse
                                          high
                                          https://nr2.vesuperw.ru/IDnh/true
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.jsfalse
                                            high
                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs
                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.17.24.14
                                            cdnjs.cloudflare.comUnited States
                                            13335CLOUDFLARENETUSfalse
                                            104.16.3.189
                                            unknownUnited States
                                            13335CLOUDFLARENETUSfalse
                                            142.250.186.78
                                            unknownUnited States
                                            15169GOOGLEUSfalse
                                            1.1.1.1
                                            unknownAustralia
                                            13335CLOUDFLARENETUSfalse
                                            104.18.94.41
                                            challenges.cloudflare.comUnited States
                                            13335CLOUDFLARENETUSfalse
                                            142.250.185.110
                                            unknownUnited States
                                            15169GOOGLEUSfalse
                                            104.16.5.189
                                            developers.cloudflare.comUnited States
                                            13335CLOUDFLARENETUSfalse
                                            151.101.130.137
                                            code.jquery.comUnited States
                                            54113FASTLYUSfalse
                                            74.125.206.84
                                            unknownUnited States
                                            15169GOOGLEUSfalse
                                            142.250.185.196
                                            www.google.comUnited States
                                            15169GOOGLEUSfalse
                                            188.114.96.3
                                            nr2.vesuperw.ruEuropean Union
                                            13335CLOUDFLARENETUStrue
                                            142.250.184.227
                                            unknownUnited States
                                            15169GOOGLEUSfalse
                                            IP
                                            192.168.2.24
                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1641500
                                            Start date and time:2025-03-18 10:18:07 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                            Sample URL:https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com
                                            Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                            Run name:Potential for more IOCs and behavior
                                            Number of analysed new started processes analysed:12
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • EGA enabled
                                            Analysis Mode:stream
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.phis.evad.win@21/0@15/56
                                            • Exclude process from analysis (whitelisted): svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23
                                            • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, crt.comodoca.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: https://nr2.vesuperw.ru/IDnh/#Dkeyaccount@foster-uk.com
                                            No created / dropped files found
                                            No static file info