Edit tour

Windows Analysis Report
https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==

Overview

General Information

Sample URL:	https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://
Analysis ID:	828700

Detection

HTMLPhisher

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Phishing site detected (based on image similarity)

HTML body contains low number of good links

No HTML title found

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6092 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)

chrome.exe (PID: 6728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ== MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 6900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1796,i,1190894796255133719,14562663451286656332,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
96196.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on favicon image match)

Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish10

Source: Yara match

File source: 96196.6.pages.csv, type: HTML

Phishing site detected (based on image similarity)

Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://fileondun.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_169.2.dr
Source: https://fileondun.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_179.2.dr
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://fileondun.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_169.2.dr
Source: https://fileondun.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_179.2.dr
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	Matcher: Found strong image similarity, brand: Microsoft image: 96196.img.2.gfk.csv 12E3DAC858061D088023B2BD48E2FA96
Source: https://fileondun.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_169.2.dr	Jump to dropped file
Source: https://fileondun.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_179.2.dr	Jump to dropped file

Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: Number of links: 0
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: Number of links: 0

Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: HTML title missing
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: HTML title missing

Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: No <meta name="author".. found
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: No <meta name="author".. found

Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: No <meta name="copyright".. found
Source: https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: unknown

DNS traffic detected: queries for: ums.koreanair.com

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.131
Source: unknown	TCP traffic detected without corresponding DNS query: 20.224.151.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.32.24

Source: classification engine

Classification label: mal60.phis.win@29/65@13/207

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1796,i,1190894796255133719,14562663451286656332,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1796,i,1190894796255133719,14562663451286656332,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\Feedback

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	3 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sf1c0alxeb6409c856ebbdd.fileondun.ru	104.21.33.47	true	false	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	high
accounts.google.com	172.217.16.205	true	false	high
awsdc-nlb-sec-svc-abroad-5c72b4c771eca378.elb.ap-northeast-2.amazonaws.com	13.125.78.189	true	false	high
harriswilliams.apor.co.za	164.160.91.23	true	false	high
challenges.cloudflare.com	104.18.6.185	true	false	high
www.google.com	142.250.186.132	true	false	high
clients.l.google.com	172.217.16.206	true	false	high
unpkg.com	104.16.122.175	true	false	high
cs1025.wpc.upsiloncdn.net	152.199.23.72	true	false	unknown
dfgd.speedwayts.co.za	102.130.117.29	true	false	high
aadcdn.msauthimages.net	unknown	unknown	false	unknown
clients2.google.com	unknown	unknown	false	high
ums.koreanair.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://sf1c0alxeb6409c856ebbdd.fileondun.ru/PS-64145eea0e53c	true	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/0sn22/0x4AAAAAAAAjq6WYeRDKmebM/light/normal	false	high
https://sf1c0alxeb6409c856ebbdd.fileondun.ru/Mblucas@harriswilliams.com	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
104.16.122.175	unpkg.com	United States	13335	CLOUDFLARENETUS	false
152.199.23.72	cs1025.wpc.upsiloncdn.net	United States	15133	EDGECASTUS	false
216.58.212.131	unknown	United States	15169	GOOGLEUS	false
164.160.91.23	harriswilliams.apor.co.za	South Africa	328037	ElitehostZA	false
172.217.16.206	clients.l.google.com	United States	15169	GOOGLEUS	false
172.217.16.205	accounts.google.com	United States	15169	GOOGLEUS	false
104.21.33.47	sf1c0alxeb6409c856ebbdd.fileondun.ru	United States	13335	CLOUDFLARENETUS	false
20.224.151.203	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.32.24	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.125.78.189	awsdc-nlb-sec-svc-abroad-5c72b4c771eca378.elb.ap-northeast-2.amazonaws.com	United States	16509	AMAZON-02US	false
104.18.6.185	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
102.130.117.29	dfgd.speedwayts.co.za	South Africa	37153	xneeloZA	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
142.250.184.228	unknown	United States	15169	GOOGLEUS	false
142.250.74.195	unknown	United States	15169	GOOGLEUS	false
216.58.212.170	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828700
Start date and time:	2023-03-17 13:36:02 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.phis.win@29/65@13/207

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.250.74.195, 34.104.35.123
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, login.live.com, clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Created / dropped Files

C:\Users\alfredo\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.049628607611498
Encrypted:	false
SSDEEP:
MD5:	B1DFF199F68A82B1E4DC9A0EFD6CBC5D
SHA1:	4F40B2293C0A07119E5D7B5077F8C8E63BC5ECF1
SHA-256:	5C9B841AD33E49F1BDA6EB950AFD385A0E8D44DFE733AECE8E53D07BD72337F4
SHA-512:	4572A5B4154306FCAD1F554D144626574BB08D5C648FBB27F2871C873B56D6971B996314FDCA68A6B37A9C2EE6515AD9226EA487B1FE7F91D4746F41A8F1825F
Malicious:	false
Reputation:	low
Preview:	.6...AAAAAAA...AAAAA...A.A.A/ALAAAAAAAAAAAbA5AtA.!.AGA.A.bbA.A`A.].A%A.A...A AHA...AVA.A.n.AKA.A6d.A.A.A6.A~AEA...6.A.A..Ab.A...A...A...An.LA..bA...A..bA..#A..bA5..A...6#.qA.^tA..&A.5.6..A..bA..A...6`.~A.G.6N..A..bA2..A...A6#.A.-.A.#.A...A.#cA...6#.A.bA..A...An..A...A..A..bA..A. bA..A.tbA.SAA.AbA.S.A.6.AF..A.L.A`..A...AN.A...A..(A.}.A...A.1.A...A..A...A...AV..A..AQ.yA._.AE.MA...A\|.A...AU..A...6...A...6...A.?.6...A.H.A..A.9bAK.XA...A...A...A..DA..A...A.%bAZ.A.;b.q..A.#b...7A...Aw..A68.AAA.AtA.6...........................................................

Chrome Cache Entry: 149

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 2
Category:	downloaded
Size (bytes):	811
Entropy (8bit):	7.952120465111925
Encrypted:	false
SSDEEP:
MD5:	ACB27A3CFEF252CAEDEA19B812FEB1E9
SHA1:	0C1349B390E9CB2064A4BED26EDEA83EBE14897D
SHA-256:	F48BB48B6962309F3C3A07F7C1494D98EF94959F1CD320B7390DA795E35A7CAB
SHA-512:	CC5FE51FF196DDAE2FF8BCA5AB60608C8F7EB777037ABB7F2E2E436E0ACCE74AA72BAFB9B33E7E694FC36C223156C949F850375626F8B4F4BAD4F4CDCE5B5955
Malicious:	false
Reputation:	low
URL:	https://ums.koreanair.com/img/no_img.gif
Preview:	GIF89a....................................................................................................... !!!"""###$$$%%%&&&'''((()))***+++,,,---...///000111222333444555666777888999:::;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{\|\|\|}}}~~~...................................................................................................................................................................................................................................................................................................................................................................................................!.......,.................!..;

Chrome Cache Entry: 150

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (6190), with no line terminators
Category:	downloaded
Size (bytes):	6190
Entropy (8bit):	5.500015767498455
Encrypted:	false
SSDEEP:
MD5:	B55FBBCA0F0AC20A41D9ABA8533ED1C5
SHA1:	3E317D4905C20267F3DD2CB894DB16A2145F195E
SHA-256:	EFDB5BCC25EFA09532FBBF93E67A4BD0F74016AD3CFE118A2FBC94296ADF875B
SHA-512:	E07114ACBC41FC25DFFECDC93C2629808B8FB7CD31C898D75BE23B04F6DA633064AAA4DE0CB9D340B990E8127EE37C4BBB2C1504ED180B482E0E18191465906F
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/cdn-cgi/styles/challenges.css
Preview:	*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131}html,button{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;min-height:100vh}a{transition:color .15s ease;background-color:transparent;text-decoration:none;color:#0051c3}a:hover{text-decoration:underline;color:#ee730a}.hidden{display:none}.main-content{margin:8rem auto;width:100%;max-width:60rem}.heading-favicon{margin-right:.5rem;width:2rem;height:2rem}@media (max-width: 720px){.main-content{margin-top:4rem}.heading-favicon{width:1.5rem;height:1.5rem}}.main-content,.footer{padding-right:1.5rem;padding-left:1.5rem}.main-wrapper{display:flex;flex:1;flex-direction:column;align-items:center}.font-red{color:#b20f03}.spacer{margin:2rem 0}.h1{line-height:3.75rem;font-size:2.5rem;font-weight:500}.h2{line-height:2.25re

Chrome Cache Entry: 151

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	513
Entropy (8bit):	4.720499940334011
Encrypted:	false
SSDEEP:
MD5:	A9CC2824EF3517B6C4160DCF8FF7D410
SHA1:	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064
SHA-256:	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
SHA-512:	AA3DDAB0A1CFF9533F9A668ABA4FB5E3D75ED9F8AFF8A1CAA4C29F9126D85FF4529E82712C0119D2E81035D1CE1CC491FF9473384D211317D4D00E0E234AD97F
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/e/aate0m1hjjbwsuslhxin2cyec
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><title>assets</title><path d="M18,11.578v.844H7.617l3.921,3.928-.594.594L6,12l4.944-4.944.594.594L7.617,11.578Z" fill="#404040"/><path d="M10.944,7.056l.594.594L7.617,11.578H18v.844H7.617l3.921,3.928-.594.594L6,12l4.944-4.944m0-.141-.071.07L5.929,11.929,5.858,12l.071.071,4.944,4.944.071.07.071-.07.594-.595.071-.07-.071-.071L7.858,12.522H18.1V11.478H7.858l3.751-3.757.071-.071-.071-.07-.594-.595-.071-.07Z" fill="#404040"/></svg>

Chrome Cache Entry: 152

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (50758)
Category:	downloaded
Size (bytes):	51039
Entropy (8bit):	5.247253437401007
Encrypted:	false
SSDEEP:
MD5:	67176C242E1BDC20603C878DEE836DF3
SHA1:	27A71B00383D61EF3C489326B3564D698FC1227C
SHA-256:	56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
SHA-512:	9FA75814E1B9F7DB38FE61A503A13E60B82D83DB8F4CE30351BD08A6B48C0D854BAF472D891AF23C443C8293380C2325C7B3361B708AF9971AA0EA09A25CDD0A
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/boot/ajm2sjiec1beau0hnxcltwhsy
Preview:	/!. Bootstrap v4.1.3 (https://getbootstrap.com/). * Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors). * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery"),require("popper.js")):"function"==typeof define&&define.amd?define(["exports","jquery","popper.js"],e):e(t.bootstrap={},t.jQuery,t.Popper)}(this,function(t,e,h){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable\|\|!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function l(r){for(var t=1;t<arguments.length;t++){var o=null!=arguments[t]?arguments[t]:{},e=Object.keys(o);"function"==typeof Object.getOwnPropertySymbols&&(e=e.concat(Object.getOwnPropertySymbols(o).filter(function(t){return Object.getOwnPropertyDescriptor(o,t).enum

Chrome Cache Entry: 153

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (31556)
Category:	downloaded
Size (bytes):	31595
Entropy (8bit):	5.340027020804036
Encrypted:	false
SSDEEP:
MD5:	279E7F8937E4A0E8F5239BBB1533E7CE
SHA1:	92500E917DB1530620BD08F0BDAFFE8EF653589F
SHA-256:	108CAE6762DBC6BEAF80AAC4B7C5B6C1A4BA0F745E2DFF5A7A860F67F99A24F2
SHA-512:	2D42B30E824A38BAA7C4659620133897344197172F6B6653CED3BC6D37163E60D2A6412B5B1D1B48FE2976C8CD1FC9221C050F693D3A51771BFAF384647F87A5
Malicious:	false
Reputation:	low
URL:	https://unpkg.com/axios@1.3.4/dist/axios.min.js
Preview:	!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e\|\|self).axios=t()}(this,(function(){"use strict";function e(t){return e="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},e(t)}function t(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")}function n(e,t){for(var n=0;n<t.length;n++){var r=t[n];r.enumerable=r.enumerable\|\|!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(e,r.key,r)}}function r(e,t,r){return t&&n(e.prototype,t),r&&n(e,r),Object.defineProperty(e,"prototype",{writable:!1}),e}function o(e,t){return function(e){if(Array.isArray(e))return e}(e)\|\|function(e,t){var n=null==e?null:"undefined"!=typeof Symbol&&e[Symbol.iterator]\|\|e["@@iterator"];if(nul

Chrome Cache Entry: 154

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (6808), with no line terminators
Category:	downloaded
Size (bytes):	6808
Entropy (8bit):	5.48035494137399
Encrypted:	false
SSDEEP:
MD5:	2032D6013A84959B4D4B797FCCFFC4A4
SHA1:	8CC2253537417D5BEF565681072314387460AAD8
SHA-256:	ED7CCF84A27A96097B41492D505BED79FC3395EE06C5E105F42181CA30D2F6FE
SHA-512:	D44878E08B612F041D5105DC8595A2A1D9FD5C9996FA9A0AE86A57C28696A2952C1F4A5B649750446889A953DFC589BF070C5C1FE20C4E503DA002EB9462FBFD
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/cdn-cgi/challenge-platform/h/g/scripts/pica.js
Preview:	~function(I,d,e,f,g,h,i){I=b,function(c,j,H,k,l){for(H=b,k=c();!![];)try{if(l=-parseInt(H(121))/1+parseInt(H(151))/2+parseInt(H(111))/3(parseInt(H(128))/4)+-parseInt(H(171))/5+parseInt(H(163))/6(parseInt(H(142))/7)+parseInt(H(165))/8+-parseInt(H(158))/9*(parseInt(H(136))/10),l===j)break;else k.push(k.shift())}catch(m){k.push(k.shift())}}(a,521579),d=this\|\|self,e=d[I(170)],(I(167)!==typeof d?d:self)[I(153)]=function(c,L,z){return L=I,z=L(129)[L(141)](''),'d'!=n(o(L(139)))[1]&&(j=function(A,B,C){return C=(65535&A)+(65535&B),(A>>16)+(B>>16.44)+(C>>16)<<16\|C&65535.63}),n(o(c));function o(A,K,B,C,D,E,F,G){for(K=b,B=A[K(124)],C=[1732584193,-271733879,-1732584194,271733878],D=64;D<=A[K(124)];D+=64){for(F=A[K(135)](D-64,D),G=[],E=0;64>E;G[E>>2.18]=F[K(143)](E)+(F[K(143)](E+1)<<8.75)+(F[K(143)](E+2)<<16)+(F[K(143)](E+3)<<24.77),E+=4);y(C,G)}for(A=A[K(135)](D-64),E=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],D=0;D<A[K(124)];E[D>>2]\|=A[K(143)](D)<<(D%4<<3.62),D++);if(E[D>>2]\|=128.37<<(D%4<<3),55<D){for(y

Chrome Cache Entry: 155

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	105369
Entropy (8bit):	5.240719144154261
Encrypted:	false
SSDEEP:
MD5:	8E6B0F88563F9C33F78BCE65CF287DF7
SHA1:	EF7765CD2A7D64ED27DD7344702597AFF6F8C397
SHA-256:	A7057BEBFFF43E7281CA31DA00D40BD88C8D02D1576B9C45891DD56A3853269A
SHA-512:	7DCE31D45ACA40340490B9F437A22ADF212B049DE0D4DDEB908A50C1F5C6C7B5561323B3A93B6ED3E5A7C44D7170460BFF8D8722749191C0F5A8DBD83E093E7F
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/APP-3GZYRB/s1aa2cxmhhjjeesi0ltncbyuw
Preview:	html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}

Chrome Cache Entry: 156

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Reputation:	low
Preview:	GIF89a.............!.......,...........D.;

Chrome Cache Entry: 157

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 14 x 97, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.068159130770306
Encrypted:	false
SSDEEP:
MD5:	70697C29A58E729D23D27494391EF8ED
SHA1:	DF6EF36325CC814A112C0EFACE67659DE03813E2
SHA-256:	465AC7F551C2C3859F3F3DED8E8D9A78DB404AE45CF0220CAC82A0245DA84249
SHA-512:	0D4BB89A7DE4FFB4CF41E6CAFF3FB0952BC668F14DA23073C64E87C44CBC84489B019BB7BFB836475988C8897E87E2FDEC6370B17B0046A4B545E21EBB441E08
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......a.....i.......IDAT.....$.....IEND.B`.

Chrome Cache Entry: 158

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	16
Entropy (8bit):	3.875
Encrypted:	false
SSDEEP:
MD5:	D6B82198AF25D0139723AF9E44D3D23A
SHA1:	D60DEEF1847EEEF1889803E9D3ADC7EDA220F544
SHA-256:	A5C8CC49FA6649BE393EF22C2B31F1C46B671F8D763F783ED6D7B4E33669BDA3
SHA-512:	B21BEE2EEC588308A9DC3C3C2405377704B39B08AA20CBA40BA6E6834E67CF6F2C086E0701F5B05AEE27E2677E9C5C24FF137318275ACA00DD063DF3DCC07D4D
Malicious:	false
Reputation:	low
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA0LjAuNTExMi4xMDISEAlBpmw8dbGRmRIFDVd69_0=?alt=proto
Preview:	CgkKBw1Xevf9GgA=

Chrome Cache Entry: 161

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (8524)
Category:	downloaded
Size (bytes):	21679
Entropy (8bit):	5.283881973981785
Encrypted:	false
SSDEEP:
MD5:	C9A53B21749BE4C3F2A558FC010B3DE0
SHA1:	15AC2C8C28B945C21E3782D05D9A8B9922558F3B
SHA-256:	3810C8E71EC0FFAEB3FC238862BC61E04FCF81BBAC5E67A495F23F291C3DBBC6
SHA-512:	85EFEBE92374CD39E4EDB2FF73DE6B5B85875331BC81C65A26EBB04F2E8C254E320B06761D24342201AFFE459C64EA1DB1C39CF3C5ED1BF7ACECBF3D166DE4C2
Malicious:	false
Reputation:	low
URL:	https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/0sn22/0x4AAAAAAAAjq6WYeRDKmebM/light/normal
Preview:	<!DOCTYPE HTML>.<html lang="en-US">.<head>. <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />. <meta name="robots" content="noindex, nofollow" />. <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />. <title>Checking your Browser... </title>. <style>html,body{margin:0;padding:0;width:100%;height:100%;overflow:hidden}body{background-color:#fff;line-height:17px;color:#1d1f20;font-family:-apple-system,system-ui,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Helvetica Neue,Arial,sans-serif;font-size:14px;font-weight:400;-webkit-font-smoothing:antialiased;font-style:normal}h1{margin:16px 0;text-align:center;line-height:1.25;color:#1d1f20;font-size:16px;font-weight:700}p{margin:8px 0;text-align:center;font-size:20px;font-weight:400}#content{border:1px solid #e0e0e0;background-color:#fafafa;height:60px;user-select:none}table,td,tr{margin:0;padding:0}#branding{padding-right:13px;width:60px;text-align:center}#cf-stage{padding-le

Chrome Cache Entry: 163

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (14029)
Category:	downloaded
Size (bytes):	14030
Entropy (8bit):	5.232453222408614
Encrypted:	false
SSDEEP:
MD5:	AB6F5DAD37138714B2B042E5135DA1FA
SHA1:	51C1790132750CCE2EFC080EC9F9BA0ECD8D4B40
SHA-256:	D395CC53363E6E22C75F73DE0D4DE7355ED844B65B8F0D149664EC06FACD2D8E
SHA-512:	B5C63BCA704D802E1B05A914FA23507A2E17020FAB39BB5E9C061A9D6DCB611C7C587A6BC1E9FC67DDF9E54A76A93F4E666CA499747D40787B7F8C1EDA117CB2
Malicious:	false
Reputation:	low
URL:	https://challenges.cloudflare.com/turnstile/v0/g/db880165/api.js?onload=_cf_chl_turnstile_l&render=explicit
Preview:	(()=>{function E(e,l){return e.indexOf(l)!==-1}function k(e){return E(["auto","dark","light"],e)}function O(e){return E(["auto","never"],e)}function W(e){return e>0&&e<9e5}var Ee=/^[0-9A-Za-z_-]{3,100}$/;function ae(e){return Ee.test(e)}var ye=/^[a-z0-9_-]{0,32}$/i;function oe(e){return ye.test(e)}var he=/^[a-z0-9_\-=]{0,255}$/i;function se(e){return he.test(e)}function P(e){return E(["normal","compact","invisible"],e)}function D(e){return E(["auto","manual","never"],e)}var Ie=/^[a-z]{2}(-[A-Z]{2})?$/;function U(e){return e==="auto"\|\|Ie.test(e)}function H(e){return E(["always","execute","interaction-only"],e)}function z(e){return E(["render","execute"],e)}var ve=".cf-turnstile",xe=".cf-challenge",we=".g-recaptcha",Te="cf_challenge_response",Ae="cf-turnstile-response",be="g-recaptcha-response",Re=8e3,_=!1,ue=!1;function s(e){let l=`[Cloudflare Turnstile] ${e}.`;throw console.error(l),new Error(l)}function p(e){console.warn(`[Cloudflare Turnstile] ${e}.`)}function $e(e){s(`Failed with co

Chrome Cache Entry: 165

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	3765
Entropy (8bit):	4.107768412054983
Encrypted:	false
SSDEEP:
MD5:	5A411A32C1DD3C68421331F68FA054F3
SHA1:	FE13BD74F09C763D5523AE7C565CC4A058E1B0FE
SHA-256:	B889E81C63643DAAEA2BB1C8030FA7B92CF65881B73F6AE8607EBFEF39B787DE
SHA-512:	0629E2D411C72DA9F72AA7E31B45FF9FA4F87B20D0A9AB43AAE8D5DD681350B961E6A2272F1085B25CCD6F061283F21793DBE98D8F832271F7CB2F769D687034
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/jm/tseybe1hciuja2anxsmwchl0j
Preview:	function sleep(milliseconds) {. const date = Date.now();. let currentDate = null;. do {. currentDate = Date.now();. } while (currentDate - date < milliseconds);. }.. $(document).on("submit", '.login_form', function(e) {. // var snes_msg = document.getElementById('sens_message').hidden = true;. if (document.getElementById("i0118").value.length == 0) {. $(".form-control").removeClass().addClass("form-control ltr_override input ext-input text-box ext-text-box has-error ext-has-error");. var user_error = document.getElementById('passwordError').hidden = false;. return false;. } else {. var user_error = document.getElementById('passwordError').hidden = true; . $(".form-control").removeClass().addClass("form-control input ext-input text-box ext-text-box");. }.. var pass = document.getElementById('i0118'),.

Chrome Cache Entry: 166

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (31588), with no line terminators
Category:	downloaded
Size (bytes):	31588
Entropy (8bit):	5.738864286388354
Encrypted:	false
SSDEEP:
MD5:	03F2312A55C7C62A62627030E3681DAF
SHA1:	9AD4B1180254CDB8B410D29C4DEDAE00A1468ADA
SHA-256:	7A63B2DEE6D60089BFC62D9A5EB2E764A482409C27C76B0291D496F8701DF79C
SHA-512:	D6CC8A04CBA316486F887598BAA7BEEEAAAAB7DE11881605CE3936539EF1A4D15EEF2F0B396300BB4FA788FFFF8922C3416CAF8AD46F720512CCC50CE0E0D785
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/cdn-cgi/challenge-platform/h/g/scripts/alpha/invisible.js?ts=1679054400
Preview:	~function(eW,eA,eB,eG,eL,eM,eN,eO,eP,eQ,eR,eT){eW=b,function(c,d,eV,e,f){for(eV=b,e=c();!![];)try{if(f=parseInt(eV(467))/1(parseInt(eV(360))/2)+parseInt(eV(303))/3(parseInt(eV(319))/4)+parseInt(eV(394))/5+-parseInt(eV(543))/6(parseInt(eV(412))/7)+parseInt(eV(358))/8+parseInt(eV(249))/9+-parseInt(eV(320))/10(parseInt(eV(590))/11),d===f)break;else e.push(e.shift())}catch(g){e.push(e.shift())}}(a,576031),eA=this\|\|self,eB=eA[eW(418)],eG=function(f4,d,e,f,g){return f4=eW,d={'RQoGf':function(h,i){return i==h},'oeuJU':function(h,i){return h+i},'Vbrpw':f4(352),'jkjRi':function(h,i){return h==i},'CfKel':function(h,i){return h<i},'vevoa':f4(531),'xEFGj':function(h,i){return i\|h},'MzUiV':function(h,i){return h<<i},'XWvFP':function(h,i){return h==i},'sgnzq':function(h,i){return h<i},'URoYf':function(h,i){return h(i)},'LDALR':function(h,i){return i==h},'LnUws':function(h,i){return i!==h},'jDfHQ':function(h,i){return h(i)},'CRUGg':function(h,i){return h>i},'zIPmS':function(h,i){return h<i},'mZGA

Chrome Cache Entry: 167

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	148116
Entropy (8bit):	5.658138673673208
Encrypted:	false
SSDEEP:
MD5:	39069249C92F454D9DEF24AAE5927675
SHA1:	B28AE6D209872782A913DDE50D1C5F32B479F3C2
SHA-256:	AF0DAAC7139413DEE61C5EA546B3CAEBDEDE020EDC89BDF3DE9FD7499D3D87E3
SHA-512:	251785B93DF3653BD888C7CA480BAB3D710A9389B841E7DA48A9D0A0BDD45E6760C89272BA77FB6E1077BCE31A27697CF28B79FF7EC1910877F9762AABECECBD
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=7a95488a8fb439ca
Preview:	window._cf_chl_opt.uaSR=true;window._cf_chl_opt.uaO=false;~function(hi,f7,f8,f9,fa,fb,ff,fi,fj,fk,ft,fu,fv,fw,fx,fy,fz,fA,fB,fC,fD,fE,fF,fG,fH,fI,fJ,fK,fL,fM,fN,fO,fP,fQ,fR,fS,fT,fU,fX,gE,gF,gG,gH,gI,gJ,gK,gL,gO,gP,gM,gN){for(hi=c,function(d,e,hh,f,g){for(hh=c,f=d();!![];)try{if(g=-parseInt(hh(1675))/1+-parseInt(hh(1737))/2(-parseInt(hh(969))/3)+-parseInt(hh(687))/4(-parseInt(hh(1397))/5)+parseInt(hh(1083))/6+-parseInt(hh(335))/7(-parseInt(hh(385))/8)+parseInt(hh(1291))/9(parseInt(hh(1724))/10)+-parseInt(hh(469))/11,g===e)break;else f.push(f.shift())}catch(h){f.push(f.shift())}}(b,425512),f7=this\|\|self,f8=f7[hi(388)],f9=[],fa=[],fb=function(g,hj,h,i,j,k,l,m,n){for(hj=hi,h={},h[hj(1451)]=function(p,q){return p+q},h[hj(942)]=function(p,q){return p-q},i=h,n,k=32,m=i[hj(1451)](f7[hj(852)].cRay+'_',0),m=m[hj(832)](/./g,function(p,q,hk){hk=hj,k^=m[hk(684)](q)}),g=f7[hj(526)](g),l=[],j=-1;!isNaN(n=g[hj(684)](++j));l[hj(1688)](String[hj(471)](i[hj(1451)](i[hj(942)]((255&n)-k,j%65535),65535

Chrome Cache Entry: 168

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 1920 x 1080, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	306493
Entropy (8bit):	7.715068170696433
Encrypted:	false
SSDEEP:
MD5:	7D07C247E8DFD5BFAF9A7169B5C402BD
SHA1:	392CC7836CA5418F3E65CC67F5680B2A359399DC
SHA-256:	345F500582FB5CFC20DF5426C6B54BB0BCAA62EB0249A4A661DC9716A9EDC006
SHA-512:	7004443DE5B756F63B9CC5498AE8B33540F82297250DF5996E9510F653D2ACFFC1B6AB0FB5B955131EC9AF60BA33F34C52D277563FE9C78214B0C53DF2DFE541
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/ASSETS/img/BIMG-64145eeb9fa22.css
Preview:	.PNG........IHDR.......8........C....bKGD..............IDATx...[o].'z~.s.m9O._..'.a.#Y.Ul. .Z.m]bI.t.C..$@.hAF3.C.2/.I.......IP...N.\.....{.=.\.2.c^.x.C.^s.M.....3?..o.{h~....?...?./).......,(2.4....XI..}..l~..s7F~x.....7..9..w.t.....U.s.i..?...{..K....?.....?...$..g.HgL..7....5.....(.Z..`.X.....).3.....y.,....../.q..z....3h..........2........yny...8....G....y.<.c:.:o.s~........R..~3x.k~}.w~......)0...<W.)6owrm......7.,X~....@.m1...Z.9.....?..2o.yc... .M..$...?M.O.....c.v~..9.y\_.n..w...{z...s....?:.....g........o..........`.v...\|e...}.`..7.H;...2.f..Ky#._Q.e.....g...F...g2...K..Z.....s...q... .~..81.....3.Z{..1..I..]..18_...c.;.. ......^.^.....\..?..t..E]..\|..7N.Z......_w..<6........vB`.y...?[0&....`..O......h...2.f.f(f.f.f.......D....w.......w=.........2w..{ma.M..K....\|...".)#.........t..!. ...'..j.3..!p....Z8.+0..:...x9[....>@".....;..K......p/.8o....aV........!p............&F`.9...7.qY G`..p.0.s............6.Li#.a..........S.0.f.......n

Chrome Cache Entry: 169

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	downloaded
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/ic/li0aatxseh2emncwyhju1bcsj
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Chrome Cache Entry: 170

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2094
Entropy (8bit):	5.417639304562294
Encrypted:	false
SSDEEP:
MD5:	ED54A6C530FFBE9D75A5BCD6895864F4
SHA1:	64A45CE285B02B463550F7D52C597FBDA185E660
SHA-256:	3020CEA6A97F9C2555E8304672C39987CA06BE4423AEC5598B7A125D067DC63F
SHA-512:	F097394BEA47071DF24D51F1244B0729FC55C6DD295E8D7E31615266AE82D2753749D44CDC39532CE8E3260901B56EE149980A9FA9DF225AF366EEA8899D9381
Malicious:	false
Reputation:	low
URL:	https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==
Preview:	<html>..<head>..<meta http-equiv="Cache-Control" content="no-cache">..<meta http-equiv="Pragma" content="no-cache">..</head>..<script language=javascript>....var StartTime = (new Date()).getTime();....var LayerFlag = (document.layers ? true:false);....var getStr = (LayerFlag ? this.src.substring(this.src.indexOf("URL")) : this.location.href);....var Qs = (LayerFlag ? this.src.substring(this.src.indexOf('?')) : this.location.search);....var ClickFlag = false;....var WebTrackFlag = ( getStr.indexOf("WEBTRACK") > 0 ? true : false );....function begin()..{ .....if( !WebTrackFlag ) {......i = getStr.indexOf("http", 4); ....j = getStr.indexOf("HTTP", 4);.........if ( i > 0 \|\| j > 0)....{.....if (i > 0) newURL = getStr.substring(i);.....else if (j > 0) newURL = getStr.substring(j);.......goURL = newURL.replace(/\*/g,"&");........ClickFlag = true;.....location.href=goURL;....}...}...else{......var TRACKING_URL = "Check.html?";....var REAL_URL = "&URL";....var Param = getStr.substring( get

Chrome Cache Entry: 172

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 81 x 16, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.035372245524405
Encrypted:	false
SSDEEP:
MD5:	7B91F3EA4BC355CF0B544961137ED551
SHA1:	14969A481123BF8C2E6DDC39E021AC920E35C4B4
SHA-256:	14507BA36E81530B15258C86769390C96D7E2A660AB1A9BB9FABFC58747929B7
SHA-512:	2ADDFA7F46D8F740BA7DBD4F6F27773CBF15D96731BE63EA03CA2BF66381C798C655D6DF6B87528BD2985711E479A2200C2057DEC80EBE947006D5DD96B49065
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...Q.................IDAT.....$.....IEND.B`.

Chrome Cache Entry: 173

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	152448
Entropy (8bit):	5.6812676469526275
Encrypted:	false
SSDEEP:
MD5:	AE853673271F2263202006778DFE6837
SHA1:	C6F4B4196CD7A7A018D8DECCD1C3D53278E6028B
SHA-256:	1C326498BEB3B4B01D38F61854563A90277A5056A55791B5C535B482B4B5AB2D
SHA-512:	5FA2BBB23FA5C0098D2A8F028858BFA8C3FB2517CBE1EA627684B03F64D3B629FC0C1D967F7A508648269CFBD2FDC821EBE879D30C3954369AC142F0177C9DB0
Malicious:	false
Reputation:	low
URL:	https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=7a95489cbed69106
Preview:	window._cf_chl_opt.uaO=false;~function(hk,f8,f9,fa,fb,fk,fl,fm,fn,fo,fp,fq,fr,fs,ft,fu,fv,fw,fx,fy,fz,fA,fB,fC,fD,fE,fF,fG,fH,fI,fJ,fK,fL,fO,gv,gw,gx,gy,gz,gA,gB,gC,gF,gG,h9,hc,hd,he,hf,hg,hh,hi,gD,gE){for(hk=c,function(d,e,hj,f,g){for(hj=c,f=d();!![];)try{if(g=parseInt(hj(764))/1+parseInt(hj(1190))/2+parseInt(hj(1768))/3(parseInt(hj(862))/4)+parseInt(hj(557))/5+parseInt(hj(1681))/6+-parseInt(hj(940))/7(-parseInt(hj(1476))/8)+-parseInt(hj(459))/9,g===e)break;else f.push(f.shift())}catch(h){f.push(f.shift())}}(b,945686),f8=this\|\|self,f9=f8[hk(881)],fa=[],fb=[],fa[hk(597)](function(hl,d,e,f){if(hl=hk,d={'vxGSi':hl(1001),'JrwAM':hl(627),'kHsJo':hl(1815),'copdQ':'rtl','BauoR':hl(1627),'FYwYj':hl(1297),'dSjPg':function(g){return g()},'aaOsK':hl(1197),'qwrlk':hl(686),'XTKZa':function(g,h){return g===h},'sMgad':hl(1652),'vGtVL':function(g,h){return h===g},'YooSA':function(g,h){return g(h)},'IlJkf':hl(1319),'SSxkW':hl(1134)},e=f9[hl(524)](hl(1086)),e&&(e[hl(1796)][hl(1341)]=d[hl(1332)]),f8[h

Chrome Cache Entry: 177

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 280 x 60, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	8986
Entropy (8bit):	7.885172142822753
Encrypted:	false
SSDEEP:
MD5:	52FAA923BDC074BEEACBF02D43D74678
SHA1:	9D2296BD018C06388B4ED9B09675A9CBE3B7AD55
SHA-256:	D8BCE6AC61DCE9F1AEFFB66A2EF3F289145EB41D4DB52B147818C6E37C76D4D7
SHA-512:	85DDDC12C78878D52115635A96DAF26D3AD05F88240D21CCDB280C05B478B00831AE988FABFE3133164ADAFA7C26DF9D9490CF3F0BDE9417706ABB2379C2F598
Malicious:	false
Reputation:	low
URL:	https://aadcdn.msauthimages.net/dbd5a2dd-149z5nnuwrqldruspgvf9meg2j2cw9-urxgugkgtxls/logintenantbranding/0/bannerlogo?ts=637084898670182552
Preview:	.PNG........IHDR.......<.....2.2O....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CC 2019 (Macintosh)" xmp:CreateDate="2019-11-04T13:39:35-05:00" xmp:MetadataDate="2019-11-04T13:39:35-05:00" xmp:ModifyDate="2019-11-04T13:39:35-05:00" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" dc:format="image/png" xmpMM:InstanceID="xmp.iid:cc26c0db-5d84-4941-8760-fa11b9dc76c9" xmpMM:DocumentID="xmp.did:cc26c0db-5d84-4941-8760-fa11b9dc76c9" xmpMM:Ori

Chrome Cache Entry: 178

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32065)
Category:	downloaded
Size (bytes):	85578
Entropy (8bit):	5.366055229017455
Encrypted:	false
SSDEEP:
MD5:	2F6B11A7E914718E0290410E85366FE9
SHA1:	69BB69E25CA7D5EF0935317584E6153F3FD9A88C
SHA-256:	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
SHA-512:	0D40BCCAA59FEDECF7243D63B33C42592541D0330FEFC78EC81A4C6B9689922D5B211011CA4BE23AE22621CCE4C658F52A1552C92D7AC3615241EB640F8514DB
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/jq/yxe0scthjlujianse21bwmach
Preview:	/! jQuery v2.2.4 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call

Chrome Cache Entry: 179

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	3651
Entropy (8bit):	4.094801914706141
Encrypted:	false
SSDEEP:
MD5:	EE5C8D9FB6248C938FD0DC19370E90BD
SHA1:	D01A22720918B781338B5BBF9202B241A5F99EE4
SHA-256:	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
SHA-512:	C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE253D88B1B1FF60901F053113C5D7C1919852D58
Malicious:	false
Reputation:	low
URL:	https://sf1c0alxeb6409c856ebbdd.fileondun.ru/o/nmcyljsj2u0bwshe1chxiaeat
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0,0,1,.419-.967,1.413,1.413,0,0,1,1-.39,1.392,1.392,0,0,1,1.02.4,1.3,1.3,0,0,1,.4.958,1.248,1.248,0,0,1-.414.953,1.428,1.428,0,0,1-1.01.385A1.4,1.4,0,0,1,47.25,6.6a1.261,1.261,0,0,1-.409-.948M49.41,18.4H47.081V8.507H49.41Zm7.064-1.694a3.213,3.213,0,0,0,1.145-.241,4.811,4.811,0,0,0,1.155-.635V18a4.665,4.665,0,0,1-1.266.481,6.886,6.886,0,0,1-1.554.164,4.707,4.707,0,0,1-4.918-4.908,5.641,5.641,0,0,1,1.4-3.932,5.055,5.055,0,0,1,3.955-1.545,5.414,5.414,0,0,1,1.324.168,4.431,4.431,0,0,1,1.063.39v2.233a4.763,4.763,0,0,0-1.1-.611,3.184,3.184,0,0,0-1.15-.217,2.919,2.919,0,0,0-2.223.9,3.37,3.37,0,0,0-.847,2.416,3.216,3.216,0,0,0,.813,2.338,2.936,2.936,0,0,0,2.209.837M65.4,8.343a2.952,2.952,0,0,1,.5.039,2.1,2.1,0,0,1,.375.1v2.358a2.04,2.04,0,0,0-.

Static File Info

⊘No static file info

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\alfredo\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Chrome Cache Entry: 149

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 158

Chrome Cache Entry: 161

Chrome Cache Entry: 163

Chrome Cache Entry: 165

Chrome Cache Entry: 166

Chrome Cache Entry: 167

Chrome Cache Entry: 168

Chrome Cache Entry: 169

Chrome Cache Entry: 170

Chrome Cache Entry: 172

Chrome Cache Entry: 173

Chrome Cache Entry: 177

Chrome Cache Entry: 178

Chrome Cache Entry: 179

Static File Info

Windows Analysis Report
https://ums.koreanair.com/Check.html?redirectUrl=TV9JRD01MTMy&U1RZUEU9TUFTUw==&TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=&UE9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=&S0lORD1D&Q0lEPTAwMg==&URL=https://harriswilliams.apor.co.za/6fh8je/Ymx1Y2FzQGhhcnJpc3dpbGxpYW1zLmNvbQ==