Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com

Overview

General Information

Sample URL:https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com
Analysis ID:1648823
Infos:

Detection

HTMLPhisher
Score:68
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish10
Uses IPFS gateway to access IPFS content in browser (often used in phishing/scams)
Creates files inside the system directory
Deletes files inside the Windows folder
HTML body contains low number of good links
HTML body contains password input but no form action
HTML title does not match URL
URL contains potential PII (phishing indication)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 4492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 1472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1928,i,1852976939572349471,9898801064967920268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 6708 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/chromecache_65JoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    0.1.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
      1.3.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
        1.4.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          • AV Detection
          • Phishing
          • Compliance
          • Software Vulnerabilities
          • Networking
          • System Summary

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comAvira URL Cloud: detection malicious, Label: phishing

          Phishing

          barindex
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comJoe Sandbox AI: Score: 9 Reasons: The brand 'DHL' is well-known and has a strong online presence., The URL 'bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link' does not match the legitimate domain 'dhl.com'., The URL uses 'ipfs.dweb.link', which is a decentralized web hosting service, not typically associated with DHL., The use of a decentralized web link and a non-standard domain extension is suspicious for a well-known brand like DHL., The presence of input fields for email and password suggests an attempt to capture sensitive information, which is a common phishing tactic. DOM: 0.1.pages.csv
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deJoe Sandbox AI: Score: 9 Reasons: The URL 'bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link' does not match the legitimate domain for Amazon, which is 'amazon.com'., The URL uses 'ipfs.dweb.link', which is a decentralized web link and not associated with Amazon's official domains., The use of a decentralized web link (IPFS) is unusual for a well-known brand like Amazon, which typically uses its own domain., The presence of an email input field with a domain 'amazon.de' suggests an attempt to mimic Amazon's German site, but the URL does not match any known Amazon domain., The URL structure and domain extension are suspicious and not typical for a legitimate Amazon site. DOM: 1.4.pages.csv
          Source: Yara matchFile source: 0.1.pages.csv, type: HTML
          Source: Yara matchFile source: 1.3.pages.csv, type: HTML
          Source: Yara matchFile source: 1.4.pages.csv, type: HTML
          Source: Yara matchFile source: dropped/chromecache_65, type: DROPPED
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: Gateway: dweb.link
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkHTTP Parser: Gateway: dweb.link
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: Gateway: dweb.link
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: Number of links: 0
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: Number of links: 0
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: <input type="password" .../> found but no <form action="...
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: <input type="password" .../> found but no <form action="...
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: Title: DHL does not match URL
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: Title: AMAZON does not match URL
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comSample URL: PII: ixxx@dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: Iframe src: https://dhl.com
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: Iframe src: https://amazon.de
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: <input type="password" .../> found
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: <input type="password" .../> found
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: No <meta name="author".. found
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: No <meta name="author".. found
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.comHTTP Parser: No <meta name="copyright".. found
          Source: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@amazon.deHTTP Parser: No <meta name="copyright".. found
          Source: unknownHTTPS traffic detected: 209.94.90.2:443 -> 192.168.2.16:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 209.94.90.2:443 -> 192.168.2.16:49703 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.16:49712 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.16:49713 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 156.137.3.32:443 -> 192.168.2.16:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.16:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 176.32.108.185:443 -> 192.168.2.16:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.77.222.3:443 -> 192.168.2.16:49748 version: TLS 1.2
          Source: chrome.exeMemory has grown: Private usage: 6MB later: 39MB
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /s2/favicons?domain=https://dhl.com HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: dhl.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkConnection: keep-alivePragma: no-cacheCache-Control: no-cachesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cflb=0H28vfBcRp8CUUsiCN8cr6bbCuS8szgqqRMtG4EiAsN
          Source: global trafficHTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-alivePragma: no-cacheCache-Control: no-cachesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /s2/favicons?domain=https://dhl.com HTTP/1.1Host: www.google.comConnection: keep-alivePragma: no-cacheCache-Control: no-cachesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkConnection: keep-alivePragma: no-cacheCache-Control: no-cachesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cflb=0H28vfBcRp8CUUsiCN8cr6bbCuS8szgqqRMtG4EiAsN
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cflb=0H28vfBcRp8CUUsiCN8cr6bbCuS8szgqqRMtG4EiAsN
          Source: global trafficHTTP traffic detected: GET /s2/favicons?domain=https://amazon.de HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CLbgygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: amazon.deConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.amazon.deConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficDNS traffic detected: DNS query: bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link
          Source: global trafficDNS traffic detected: DNS query: stackpath.bootstrapcdn.com
          Source: global trafficDNS traffic detected: DNS query: dhl.com
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: beacons.gcp.gvt2.com
          Source: global trafficDNS traffic detected: DNS query: beacons.gvt2.com
          Source: global trafficDNS traffic detected: DNS query: beacons2.gvt2.com
          Source: global trafficDNS traffic detected: DNS query: amazon.de
          Source: global trafficDNS traffic detected: DNS query: www.amazon.de
          Source: global trafficDNS traffic detected: DNS query: beacons3.gvt2.com
          Source: global trafficDNS traffic detected: DNS query: beacons4.gvt2.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Mar 2025 07:31:39 GMTContent-Type: text/plain; charset=utf-8Content-Length: 191Connection: closeaccess-control-allow-headers: Content-Typeaccess-control-allow-headers: Rangeaccess-control-allow-headers: User-Agentaccess-control-allow-headers: X-Requested-Withaccess-control-allow-methods: GETaccess-control-allow-methods: HEADaccess-control-allow-methods: OPTIONSaccess-control-allow-origin: *access-control-expose-headers: Content-Lengthaccess-control-expose-headers: Content-Rangeaccess-control-expose-headers: X-Chunked-Outputaccess-control-expose-headers: X-Ipfs-Pathaccess-control-expose-headers: X-Ipfs-Rootsaccess-control-expose-headers: X-Stream-Outputx-content-type-options: nosniffx-ipfs-path: /ipfs/bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa/favicon.icox-ipfs-pop: rainbow-dc13-07CF-Cache-Status: EXPIREDSet-Cookie: __cflb=0H28vfBcRp8CUUsiCN8cr6bbCuS8szgqqRMtG4EiAsN; SameSite=None; Secure; path=/; expires=Thu, 27-Mar-25 06:31:39 GMT; HttpOnlyServer: cloudflareCF-RAY: 9264f31c8bfecef2-EWRalt-svc: h3=":443"; ma=86400
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Mar 2025 07:32:38 GMTContent-Type: text/plain; charset=utf-8Content-Length: 191Connection: closeaccess-control-allow-headers: Content-Typeaccess-control-allow-headers: Rangeaccess-control-allow-headers: User-Agentaccess-control-allow-headers: X-Requested-Withaccess-control-allow-methods: GETaccess-control-allow-methods: HEADaccess-control-allow-methods: OPTIONSaccess-control-allow-origin: *access-control-expose-headers: Content-Lengthaccess-control-expose-headers: Content-Rangeaccess-control-expose-headers: X-Chunked-Outputaccess-control-expose-headers: X-Ipfs-Pathaccess-control-expose-headers: X-Ipfs-Rootsaccess-control-expose-headers: X-Stream-Outputx-content-type-options: nosniffx-ipfs-path: /ipfs/bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa/favicon.icox-ipfs-pop: rainbow-dc13-07CF-Cache-Status: HITAge: 59Server: cloudflareCF-RAY: 9264f48dac664b06-EWRalt-svc: h3=":443"; ma=86400
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownHTTPS traffic detected: 209.94.90.2:443 -> 192.168.2.16:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 209.94.90.2:443 -> 192.168.2.16:49703 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.16:49712 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.16:49713 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 156.137.3.32:443 -> 192.168.2.16:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.16:49745 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 176.32.108.185:443 -> 192.168.2.16:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.77.222.3:443 -> 192.168.2.16:49748 version: TLS 1.2
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir4492_389306882
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir4492_389306882
          Source: classification engineClassification label: mal68.phis.win@25/7@49/168
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1928,i,1852976939572349471,9898801064967920268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1928,i,1852976939572349471,9898801064967920268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: Window RecorderWindow detected: More than 3 window changes detected

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Drive-by Compromise          		Windows Management InstrumentationPath Interception1
          Process Injection          		1
          Masquerading          		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Extra Window Memory Injection          		1
          Process Injection          		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media3
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          File Deletion          		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Extra Window Memory Injection          		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
          Ingress Tool Transfer          		Traffic DuplicationData Destruction

          Screenshots

          Download Video

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com100%Avira URL Cloudphishing

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://dhl.com/0%Avira URL Cloudsafe
          https://www.google.com/s2/favicons?domain=https://dhl.com0%Avira URL Cloudsafe
          https://amazon.de/0%Avira URL Cloudsafe
          https://www.google.com/s2/favicons?domain=https://amazon.de0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          stackpath.bootstrapcdn.com
          		104.18.11.207
          		truefalse
            		high
            beacons3.gvt2.com
            		142.250.176.195
            		truefalse
              		high
              amazon.de
              		176.32.108.185
              		truetrue
                		unknown
                bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link
                		209.94.90.2
                		truetrue
                  		unknown
                  dhl.com
                  		156.137.3.32
                  		truetrue
                    		unknown
                    beacons-handoff.gcp.gvt2.com
                    		142.251.116.94
                    		truefalse
                      		high
                      e15317.dsca.akamaiedge.net
                      		104.77.222.3
                      		truefalse
                        		unknown
                        www.google.com
                        		142.251.40.196
                        		truefalse
                          		high
                          beacons2.gvt2.com
                          		66.102.1.94
                          		truefalse
                            		high
                            beacons.gvt2.com
                            		142.251.116.94
                            		truefalse
                              		high
                              beacons4.gvt2.com
                              		216.239.32.116
                              		truefalse
                                		high
                                beacons6.gvt2.com
                                		142.250.65.163
                                		truefalse
                                  		high
                                  www.amazon.de
                                  		unknown
                                  		unknownfalse
                                    		high
                                    beacons.gcp.gvt2.com
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://www.google.com/s2/favicons?domain=https://amazon.defalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.jsfalse
                                        		high
                                        https://www.google.com/s2/favicons?domain=https://dhl.comfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://dhl.com/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://amazon.de/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.amazon.de/false
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          142.250.72.106
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.250.65.163
                                          		beacons6.gvt2.comUnited States
                                          		15169GOOGLEUSfalse
                                          104.77.222.3
                                          		e15317.dsca.akamaiedge.netUnited States
                                          		16625AKAMAI-ASUSfalse
                                          142.250.80.100
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.251.40.228
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.250.80.10
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          176.32.108.185
                                          		amazon.deIreland
                                          		16509AMAZON-02UStrue
                                          104.18.11.207
                                          		stackpath.bootstrapcdn.comUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          142.251.40.100
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.251.41.14
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.251.32.110
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.251.40.99
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.251.40.196
                                          		www.google.comUnited States
                                          		15169GOOGLEUSfalse
                                          156.137.3.32
                                          		dhl.comCzech Republic
                                          		2571DHLNETCZtrue
                                          142.251.35.164
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          209.94.90.2
                                          		bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.linkUnited States
                                          		40680PROTOCOLUStrue
                                          172.253.115.84
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.251.35.174
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse
                                          142.250.80.106
                                          		unknownUnited States
                                          		15169GOOGLEUSfalse

                                          Private

                                          IP
                                          192.168.2.16
                                          192.168.2.23

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1648823
                                          Start date and time:2025-03-26 08:30:57 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                          Sample URL:https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:14
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • EGA enabled
                                          Analysis Mode:stream
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal68.phis.win@25/7@49/168
                                          • Exclude process from analysis (whitelisted): svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 142.251.32.110, 142.250.65.163, 142.251.35.174, 172.253.115.84, 142.250.65.238, 142.250.72.106, 142.251.40.206, 142.250.80.10, 142.251.40.234, 142.250.80.74, 142.250.80.106, 142.251.41.10, 142.251.40.202, 142.251.32.106, 142.250.65.234, 142.251.35.170, 142.250.176.202, 142.251.40.138, 142.250.65.170, 142.250.65.202, 142.251.40.106, 142.250.81.234, 142.251.40.100
                                          • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, content-autofill.googleapis.com, ajax.googleapis.com, clientservices.googleapis.com, t2.gstatic.com, clients.l.google.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com

                                          Created / dropped Files

                                          Chrome Cache Entry: 63

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:downloaded
                                          Size (bytes):28
                                          Entropy (8bit):4.2359263506290326
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:6A04BBB51F277E280344001CFF2A8BC3
                                          SHA1:92C8774F7BB5476EA1C65148007E3C9836333DBA
                                          SHA-256:C3E9AC6BA7FED5E5545E9B5AAF0B27B389F55ED261F473E8E3A185F0A0EB80F8
                                          SHA-512:30B147AA8BADE4B49FF2F810BA099029FCB7F944CE56E38ECEC1C37DC92650C2998B5F7C7BDE6113E589F5197875EF1741E09A00C39CD64315532C4B6848969A
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://content-autofill.googleapis.com/v1/pages/ChRDaHJvbWUvMTM0LjAuNjk5OC4zNhIgCWvItwfA4boFEgUNg6hbPRIFDWUhmeoh5JZWJxB1M48=?alt=proto
                                          Preview:ChIKBw2DqFs9GgAKBw1lIZnqGgA=

                                          Chrome Cache Entry: 64

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:ASCII text
                                          Category:downloaded
                                          Size (bytes):191
                                          Entropy (8bit):4.777659284604719
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F163C14E832A1C360DA6798DB3A8DD0E
                                          SHA1:635FBBA7F563CA4D31D294806D60D3CFDAC45F1E
                                          SHA-256:AFBD7DE49351BF14BA994F33EFF49BFC9A8C82BB2C12737F7B6BEED9C5EE4CEA
                                          SHA-512:399C2F503D815F819370B56EA160D0587E475C886CCF488FB7E39EA4CD1950CFFE01AEB6D2741F69FD2D1418E19717B66E07AA5E6921938F0A191368AEF28F83
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/favicon.ico
                                          Preview:failed to resolve /ipfs/bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa/favicon.ico: no link named "favicon.ico" under bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.

                                          Chrome Cache Entry: 65

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                          Category:downloaded
                                          Size (bytes):460758
                                          Entropy (8bit):4.890686514620885
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F849B96A1D95D214935CC05CBFDE54CA
                                          SHA1:A7DE7DEF9A9DAF5804E7D9EBDE862E2A2B279B5F
                                          SHA-256:7B93E89414197B9797DA5ACABB34DDE3ADBBA8F558103A5A330DE82A0A71F990
                                          SHA-512:C0445E1C9DC03C43D04B2F9C9994D2BC58BF557E4836766E8243FD6CF302C167C6C06CFF2F924695315BBD3E8387BB204AF5402091EF2277D8E1CA406FC70648
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/
                                          Preview:<!DOCTYPE html> ..<html lang="zxx">..<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. .. <title class="logoname">Mail</title>.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script> .. ..<link rel="apple-touch-icon" type="image/png" class="logoimg" href="" /> ..<link rel="shortcut icon" type="image/x-icon" class="logoimg" href="" />..<link rel="mask-icon" type="" class="logoimg" href="" color="#111" />..<meta name="robots" content="noindex">..<meta name="googlebot" content="noindex">..<meta name="googlebot-news" content="noindex" />..<meta name="otherbot" content="noindex" />..<meta name="noarchive" content="noindex" />..<meta name="nosnippet" content="noindex" />..<meta name="noimageindex" content="noindex" /> ..<meta name="robots" content="nofollow">..<meta name="googlebot" content="nofollow">..<meta name="googlebot-news" content="no

                                          Chrome Cache Entry: 67

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:PNG image data, 16 x 16, 8-bit colormap, non-interlaced
                                          Category:downloaded
                                          Size (bytes):250
                                          Entropy (8bit):6.671321609828868
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FF0345F30CD0762E3904FC223B3F7B66
                                          SHA1:C0314A68CAE98FB03812C29C6913E0D02FE2D2FE
                                          SHA-256:A9E6FC0F96C0145A239B88E73CFA8BE0A46427BE5E30645B6CAEB317F1760A12
                                          SHA-512:C86EC6CAB15CAF0F59E46122736F4D922249F63C671B8381D8FC329DA208E6AF022C7E0827A162D8C14794054A7BDD6888ACB637E6B4BBEE0D6EB162CE57C476
                                          Malicious:false
                                          Reputation:unknown
                                          URL:"https://t2.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=https://dhl.com&size=16"
                                          Preview:.PNG........IHDR.............(-.S...QPLTE.............................................y..8".X..?...#.S...'.\..a..N..t.....q...dIDAT.......0.D)P...u.....w}....<..p.L..$b@F.......Cc.%...B.a.I.;...e..=.t...DZ5.m.U.ZIw.1....q......,....r....IEND.B`.

                                          Chrome Cache Entry: 68

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                          Category:dropped
                                          Size (bytes):516
                                          Entropy (8bit):7.431753204569005
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:11B2E63F0AD7440683DA67FC5AEA1AE8
                                          SHA1:4CA8F900A09775C36405106FF12C3D31CBDF908A
                                          SHA-256:78D23AF2CD79BCE1640DD74FD18A8741574A770B74242F024A555FB584DBC33C
                                          SHA-512:E194427F40190EC9FC444FAB68BD74C88CA2C6E2211010F96E61278F2E2F4B7B95D61E8E0127FB72EB516692AC6D65EA2DA744B89993F33039162B0B159706CF
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.PNG........IHDR................a....IDAT8...?hSQ...Os3U.pi...D.L..:5o..........n"X\..-.Cpi......).&..B..5..O;4.qxi......p..w.s..IiI.$....3.I[........6.F....eqsi.j.J.V..LS{....(.[.Z-II...t...R..8.t:..y.N".X...... ..}..p..0..l.j......-.g.t.]....)c.....T.2F.bQ....$8..t(.\...fi...0.gs.+.....%.9.H.uO...T<.S..2F9.V.uU.T..8.....y)}X..$....\_....r...0w.......j...k.....)..2..kW.I?:...;..w..I.....9..,...`o...G.....phI......||..6.F...s....r%...0g.Z.....y.t...F.!s.r.I......B....g.?.I..q[/...J....IEND.B`.

                                          Chrome Cache Entry: 69

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:ASCII text, with very long lines (32065)
                                          Category:downloaded
                                          Size (bytes):85578
                                          Entropy (8bit):5.366055229017455
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2F6B11A7E914718E0290410E85366FE9
                                          SHA1:69BB69E25CA7D5EF0935317584E6153F3FD9A88C
                                          SHA-256:05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
                                          SHA-512:0D40BCCAA59FEDECF7243D63B33C42592541D0330FEFC78EC81A4C6B9689922D5B211011CA4BE23AE22621CCE4C658F52A1552C92D7AC3615241EB640F8514DB
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
                                          Preview:/*! jQuery v2.2.4 | (c) jQuery Foundation | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call

                                          Chrome Cache Entry: 70

                                          Download File
                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                          File Type:ASCII text, with very long lines (50758)
                                          Category:downloaded
                                          Size (bytes):51039
                                          Entropy (8bit):5.247253437401007
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:67176C242E1BDC20603C878DEE836DF3
                                          SHA1:27A71B00383D61EF3C489326B3564D698FC1227C
                                          SHA-256:56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
                                          SHA-512:9FA75814E1B9F7DB38FE61A503A13E60B82D83DB8F4CE30351BD08A6B48C0D854BAF472D891AF23C443C8293380C2325C7B3361B708AF9971AA0EA09A25CDD0A
                                          Malicious:false
                                          Reputation:unknown
                                          URL:https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
                                          Preview:/*!. * Bootstrap v4.1.3 (https://getbootstrap.com/). * Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors). * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery"),require("popper.js")):"function"==typeof define&&define.amd?define(["exports","jquery","popper.js"],e):e(t.bootstrap={},t.jQuery,t.Popper)}(this,function(t,e,h){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable||!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function l(r){for(var t=1;t<arguments.length;t++){var o=null!=arguments[t]?arguments[t]:{},e=Object.keys(o);"function"==typeof Object.getOwnPropertySymbols&&(e=e.concat(Object.getOwnPropertySymbols(o).filter(function(t){return Object.getOwnPropertyDescriptor(o,t).enum

                                          Static File Info

                                          No static file info