Edit tour

Windows Analysis Report
https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature

Overview

General Information

Sample URL:	https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature
Analysis ID:	834440

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 5180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 6192 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,14582151779200918961,4060566531702629114,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 5616 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://mail.onelink.me/107872968/overview?af_qr=true MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 2948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1860,i,1782870878679776002,15740499097875031176,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.143.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.143.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.143.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.143.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.143.67

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,14582151779200918961,4060566531702629114,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,14582151779200918961,4060566531702629114,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://mail.onelink.me/107872968/overview?af_qr=true
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1860,i,1782870878679776002,15740499097875031176,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Source	Detection	Scanner	Label	Link
https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature	12%	Virustotal		Browse
https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
star-mini.c10r.facebook.com	157.240.20.35	true	false	high
dart.l.doubleclick.net	142.250.74.198	true	false	high
accounts.google.com	142.250.185.109	true	false	high
plus.l.google.com	142.250.185.110	true	false	high
prod-rotation-v2.guce.aws.oath.cloud	52.49.141.38	true	false	unknown
adservice.google.com	142.250.181.226	true	false	high
spdc-global.pbp.gysm.yahoodns.net	212.82.100.181	true	false	unknown
cs550162656.adn.psicdn.net	152.195.53.200	true	false	unknown
geo-atsv2.media.g03.yahoodns.net	188.125.72.139	true	false	unknown
udc-ats.media.g03.yahoodns.net	188.125.72.139	true	false	unknown
googleads.g.doubleclick.net	172.217.23.98	true	false	high
ds-geoycpi-uno-lite.gycpi.b.yahoodns.net	87.248.100.136	true	false	unknown
www.google.com	172.217.16.132	true	false	high
clients.l.google.com	172.217.16.206	true	false	high
prod-dub-beacon-1484770602.eu-west-1.elb.amazonaws.com	54.171.92.63	true	false	high
edge.gycpi.b.yahoodns.net	87.248.119.252	true	false	unknown
sp.analytics.yahoo.com	unknown	unknown	false	high
udc.yahoo.com	unknown	unknown	false	high
consent.cmp.oath.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
geo.query.yahoo.com	unknown	unknown	false	high
9513459.fls.doubleclick.net	unknown	unknown	false	high
overview.mail.yahoo.com	unknown	unknown	false	high
geo.yahoo.com	unknown	unknown	false	high
s.yimg.com	unknown	unknown	false	high
beacon.krxd.net	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
code.createjs.com	unknown	unknown	false	high
go.onelink.me	unknown	unknown	false	high
guce.yahoo.com	unknown	unknown	false	high
mail.onelink.me	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.109	accounts.google.com	United States	15169	GOOGLEUS	false
52.49.141.38	prod-rotation-v2.guce.aws.oath.cloud	United States	16509	AMAZON-02US	false
142.250.74.206	unknown	United States	15169	GOOGLEUS	false
52.109.88.191	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
87.248.119.252	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
2.16.100.160	unknown	European Union	20940	AKAMAI-ASN1EU	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
172.217.23.98	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.251.143.67	unknown	United States	15169	GOOGLEUS	false
172.217.18.99	unknown	United States	15169	GOOGLEUS	false
142.250.74.198	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
172.217.16.206	clients.l.google.com	United States	15169	GOOGLEUS	false
95.101.54.240	unknown	European Union	34164	AKAMAI-LONGB	false
35.207.247.6	unknown	United States	19527	GOOGLE-2US	false
2.19.126.219	unknown	European Union	16625	AKAMAI-ASUS	false
142.250.185.110	plus.l.google.com	United States	15169	GOOGLEUS	false
142.250.181.226	adservice.google.com	United States	15169	GOOGLEUS	false
188.125.72.139	geo-atsv2.media.g03.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false
142.250.186.129	unknown	United States	15169	GOOGLEUS	false
54.171.92.63	prod-dub-beacon-1484770602.eu-west-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.109.8.45	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.195.53.200	cs550162656.adn.psicdn.net	United States	15133	EDGECASTUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
142.250.186.40	unknown	United States	15169	GOOGLEUS	false
142.250.184.238	unknown	United States	15169	GOOGLEUS	false
157.240.20.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
212.82.100.181	spdc-global.pbp.gysm.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false
87.248.100.136	ds-geoycpi-uno-lite.gycpi.b.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false
172.217.16.132	www.google.com	United States	15169	GOOGLEUS	false
172.217.16.131	unknown	United States	15169	GOOGLEUS	false

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	834440
Start date and time:	2023-03-24 20:15:18 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@40/173@22/303

File Type:	data
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.0546796578856386
Encrypted:	false
SSDEEP:
MD5:	2428B53E8E5AC2D6BDA093EB1D30251C
SHA1:	29B07DA159248DB8D7C5478C0A7C5590DA2EBDDF
SHA-256:	162396EC65DADD751CCF8FD2D7684791F26E56F6F8D3F9844B08102C862FFF68
SHA-512:	CC5AB6172433C6020933E5E4FDA3529C89F721BDB9AF59DCFECD84D665AEC3CC494FC217AC35AD9EA64008A808921F5CC06A9E40FC0FAAEAD82D25020F0D4698
Malicious:	false
Reputation:	low
Preview:	.6...AAAAAAA...AAAAA...A.A.A/ALAAAAAAAAAAAbA5AtA.!.AGA.A.bbA.A`A.].A%A.A...A AHA...AVA.A.n.AKA.A6d.A.A.A6.A~AEA...6.A.A..Ab.A...A...A...An.LA..bA...A..bA..#A..bA5..A...6#.qA.^tA..&A.5.6..A..bA..A...6`.~A.G.6N..A..bA2..A...A6#.A.-.A.#.A...A.#cA...6#.A.bA..A...An..A...A..A..bA..A. bA..A.tbA.SAA.AbA.S.A.6.AF..A.L.A`..A...AN.A...A..(A.}.A...A.1.A...A..A...A...AV..A..AQ.yA._.AE.MA...A\|.A...AU..A...6...A...6...A.?.6...A.H.A..A.9bAK.XA...A...A...A..DA..A...A.%bAZ.A.;b.q..A.#b...7A...Aw..A68.AAA.AtA.6..............................................Dt...........

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 450 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	19512
Entropy (8bit):	7.972781169513425
Encrypted:	false
SSDEEP:
MD5:	03E682380F6F985F784451C9AC0AEB58
SHA1:	CB7F8D84687C642BFAB08D4D86DB5C3AF4B50DD8
SHA-256:	7D0F5C6EB3FBAC49F72B21056EC10E805A65967389B12501F9038A463C46AB4F
SHA-512:	5D709C9B503B37E3F697270EE303CEA81AAD3C823F5E857E87A79F2CB45CA9811E69E90D6B73361DBFAC0AB014ABCA26CA7CDD52C7710A036C001F90BFA4E450
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR............. 8v.....pHYs............... .IDATx...x\u.....K2I.4..-.PZ... x..D.D.E.E.,.@DP..a.P.+...,zAZ....j.....J+M.$%m...d2..?..0I.t.9..y.<M.t..3..y...}_. .`..a.I.......~i....aT.A3..h.Z..i....c..".1.....)...E....2...Z........i....A1p...Q.pc...j..h.._.`......1;8"d..)!..&Ey.;?.~.>\|.P..EmF....*1..rT...m.>.@.......$.B.....a!d..)....s.(..rs.6....m.3.a...j)....e...0;X...a.@2.)..._.==(Fy.......j......:...,`!d....N...o..4_....C...7..^............a!d....T....zY.,~.\0.rj...\4..h`.0:.Im.....`!d..I...t.~..r."....pj...%....d1L..B.a4G.S..\|...;1P.. .Y...&.a...2..jR......D..a.n.9;w.&.....C..C.B.0.jHujz[......Huj.........Gz.\|.Y.'...a.E"95...s`..!W.4.YY\....!..8..2..TD...3...Y.......B{4...v.2t..G.O.b8.,..........i.q.6l0.2<..;._.z.2sj.`""...sv.;.6.6S.L..l.f..u07.Q......,..`!d....88...v./.Iva..............[.....K....o..].H.DoSg+Z..!.k...]&`...6.`.g......B.0LQ../>O.......a1'.......p.w..`.....>.hA.".....%.b..W.;G"...[a[e.w.3.(/.X....2.Sl.Zo...

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849

IP
192.168.2.1
127.0.0.1

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 349x325, components 3
Category:	dropped
Size (bytes):	14926
Entropy (8bit):	7.931873461634354
Encrypted:	false
SSDEEP:
MD5:	3FA4B36CD8C3C638B11151732D1F472F
SHA1:	113CF0FD8DDFB761087034CD4C2448EBD8F6F64E
SHA-256:	3BF90324D965001F3BFCE9E9CE3190A496C685A1E5123EA29ADF5C88CEDFEFE3
SHA-512:	4375D41C80B675F0CFACE226C8AAD6816CFC5EC55540CF14F496BF6E7A65D1539AF327ABF72A2892E2CB790D5430349CF83898656102ED1B7BEFC0FD5F48BDE5
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C.......................................................................E.].............................................:.........................!1.AQa.."q.2...B.#.....Rr.3b.$4................................/..........................!1"2A..Q.BRq..3CaS.............?....@ ......~\|.:.....=.a....}.....,......5-._B. .a.\|D.t$/..b.&../].6...........R.!...U.Y..i....Y...H.....>)..S&...6q%..p].K>,.k.<.1..zn......5...k_.......p...,.dy.1...t...r8..7k..m...Y.e..5..$.n"t..........;wo..Q..A.V.<.............iD.` .......@ .......@ .......@ .......@ ..=..p~.....<.=........:....z..\. ..L.1,7..._c.X[.[<C.W`sO..{.....6.~'.....gV..K.........I.q..m..^...7.[......~*.x.W.p...O.X...'R...u1.....%.\|V....]\..cn.1.Z...PG/b.b.F..l...,.J...e.&..Y..2\.'a..v..z.FI..j..m......<...I.6.F.9..m.>M.ke.........v.$..@..F...c....wW}%.of(.f.ee..rf..5.F......F.....g.[....XC..^9.U.........wS5.......

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 993 x 992, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	6610
Entropy (8bit):	5.50787659193572
Encrypted:	false
SSDEEP:
MD5:	125CAA264271D11FC604E69039E40FBA
SHA1:	8DAC0388E0550709F68601C68774332649CFA44F
SHA-256:	0662F12407065414DDE6E7EDF658DB98A5CADCA3DD9D9AEA947C65B93F110A7C
SHA-512:	55FC34890CB3801707C8F8C69500D249F4098428A5B5DC018317B5F260B1F9125500C71D445431128701685504D3F51FA0A1F998E0CB968E2188AAF8D545DDC7
Malicious:	false
Reputation:	low
URL:	https://s.yimg.com/cv/apiv2/default/bcg/norrin/images/qr-yahoomail7.png
Preview:	.PNG........IHDR....................pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.98d7942, 2022/03/21-11:40:59 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.5 (Macintosh)" xmp:CreateDate="2022-10-02T22:37:49-07:00" xmp:ModifyDate="2022-10-02T22:38:56-07:00" xmp:MetadataDate="2022-10-02T22:38:56-07:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:f250be95-e92f-4f45-a87f-a7289842efe6" xmpMM:DocumentID="adobe:docid:photoshop:6761c975-f7eb-414b-8f05-c8512392dfd

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Chrome Cache Entry: 164

Chrome Cache Entry: 165

Chrome Cache Entry: 167

Chrome Cache Entry: 168

Chrome Cache Entry: 171

Chrome Cache Entry: 172

Chrome Cache Entry: 173

Chrome Cache Entry: 174

Chrome Cache Entry: 175

Chrome Cache Entry: 177

Chrome Cache Entry: 178

Chrome Cache Entry: 179

Chrome Cache Entry: 181

Chrome Cache Entry: 182

Chrome Cache Entry: 184

Chrome Cache Entry: 185

Chrome Cache Entry: 186

Chrome Cache Entry: 187

Chrome Cache Entry: 188

Chrome Cache Entry: 190

Chrome Cache Entry: 191

Chrome Cache Entry: 192

Chrome Cache Entry: 194

Chrome Cache Entry: 196

Chrome Cache Entry: 197

Chrome Cache Entry: 199

Chrome Cache Entry: 205

Chrome Cache Entry: 206

Chrome Cache Entry: 209

Chrome Cache Entry: 211

Chrome Cache Entry: 212

Chrome Cache Entry: 213

Chrome Cache Entry: 214

Chrome Cache Entry: 215

Chrome Cache Entry: 217

Chrome Cache Entry: 218

Chrome Cache Entry: 220

Chrome Cache Entry: 223

Windows Analysis Report
https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature