Edit tour

Windows Analysis Report
http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions

Overview

General Information

Sample URL:	http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions
Analysis ID:	1544496

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

HTML page contains hidden javascript code

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6788 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,2213889435447006814,6771877748281210135,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6428 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

OpenWith.exe (PID: 2732 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions

HTTP Parser: Base64 decoded: let F_I_H = `<div class="filter-overlay" id="filter-install-overlay"><div class="loader" id="filter-loader-block"><div class="lds-roller"><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div></div></div><div class="loade...

Source: https://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49715 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: outlook.office.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49715 version: TLS 1.2

Source: classification engine

Classification label: clean2.win@26/13@4/112

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\OpenWith.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2732:120:WilError_03

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,2213889435447006814,6771877748281210135,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1876,i,2213889435447006814,6771877748281210135,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\OpenWith.exe TID: 4588

Thread sleep count: 50 > 30

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ooc-g2.tm-4.office.com	52.98.152.178	true	false	unknown
www.google.com	142.250.186.68	true	false	unknown
outlook.office.com	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
57.150.87.129	unknown	Belgium	2686	ATGS-MMD-ASUS	false
142.250.185.238	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
64.233.184.84	unknown	United States	15169	GOOGLEUS	false
172.217.18.110	unknown	United States	15169	GOOGLEUS	false
142.250.186.99	unknown	United States	15169	GOOGLEUS	false
52.98.152.178	ooc-g2.tm-4.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.17
192.168.2.16
192.168.2.18
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544496
Start date and time:	2024-10-29 14:06:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.win@26/13@4/112

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.185.238, 64.233.184.84, 57.150.87.129, 34.104.35.123, 93.184.221.240
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": true, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: URL: http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions
URL: https://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Download kb641812-filter-pack-2024-1", "prominent_button_name": "Start Update v2", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": true, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: URL: https://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions
URL: https://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions Model: claude-3-haiku-20240307	```json { "brands": [] }
	```json { "brands": [] }
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: URL: http://windows.net

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 12:06:40 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.985456746136666
Encrypted:	false
SSDEEP:
MD5:	8605A674F068DA92E079A1FB71AFA7C4
SHA1:	F906BCD4586A1BCC1636DF3F58071625744A872C
SHA-256:	83553535606F9AC9FA90E0F6412A7A0A8EB171CE007FC8B9EA1DF5D063A0A9A1
SHA-512:	B8FB38B9AEB20DF2114ACFAF9482F5204EAC406EDCF36B888E681B4B2B18DE2F7892E0B0733D17F678BF1A69D0E4A94A403251C2F997B81E15729BE1D77643F8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....5.d...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.h....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.h....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.h..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V]Y.h...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 12:06:40 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.0006649554458065
Encrypted:	false
SSDEEP:
MD5:	B00BBA09158D00DDCD83ABCA05B6F02D
SHA1:	3623E9D6DE259778774BE8AC9DF682870D3F0510
SHA-256:	F8EA84ADB8844457818C742C23051278BDF7074D9AEC1BF8AC980606AA9A1243
SHA-512:	5C9D56363F075273AB5C22A3816ED4B3B0798AC8383C453A3E50753C7B34BBEDE51C35DA871F4A166EC3E365B0CA68B1A7830753A13B0688BECD3941768F3540
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....G..d...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.h....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.h....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.h..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V]Y.h...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.009814383975321
Encrypted:	false
SSDEEP:
MD5:	96B04F8E64A193828A644D590CADB5F9
SHA1:	4EFAA13D0D14FA4C281B3A37196487411D674E04
SHA-256:	315F373C791148C6D8B77DD3AF9BB2C97FCEBE473629FC65632D7C2562FF3912
SHA-512:	6E00DAC7137526AD5E2AF573E1A026B153358609031041377E9C9D68D8DDCFAEAF69A3ADF7DE6152F3FD1704C84CD4E107EBD576CC579D58C281A17749EB896F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.h....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.h....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.h..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 12:06:40 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.998042591143067
Encrypted:	false
SSDEEP:
MD5:	1BE2A7EAFD14FC4A2D6C836F0C3F6541
SHA1:	3F6F499CA9A00C809A3F32723B09E7FF0878ADE8
SHA-256:	B464080D7E658973AC04146A8DF41708B64FECC3DD3DBB3E27F81E8EB7E1CD03
SHA-512:	A837511ED9991EDBD1E865E4829404603153CACED8FCAE113EBB9276AE4A82287EA0354DDA2566CD62933167F405304CA7297F0DDF54F8EC8B8A35EFED0BD085
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......d...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.h....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.h....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.h..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V]Y.h...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 12:06:40 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9900340321716485
Encrypted:	false
SSDEEP:
MD5:	83826BD2A69AC92520E7B2D0F2EEBC8C
SHA1:	B740C387252F3086E017F5C51BEB1C0DA01D5288
SHA-256:	090D444C70AE364600711034264575DD28A17191150C2F530B65120C11587ADE
SHA-512:	E071973AA97E71B554AE40B2C8EEC740BB987EDBAA0C8D133DC22427631644913D491C49280DFB146D5BE874B1E0AEEA81EE2B9A110B93A3913425316E8BC0C9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......d...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.h....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.h....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.h..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V]Y.h...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 12:06:40 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.997179428119499
Encrypted:	false
SSDEEP:
MD5:	0DC7B424F8CE94579CDAEEF7C6E2C277
SHA1:	E4AD75379C361C81EDE90D461275A387AE875135
SHA-256:	43B3ED622E09BAFD38F68EAE70161E50637F6D8E1D9F52A118F9474AD9B5860D
SHA-512:	0531D16DE2680C48705DCD63D606DECF7CEA57054CE16655482CB2EE3FA452A101475021BB8CFDAF858AF25B19C2E918A2A26AC9A7C7CA9BA720BC60704F1FC7
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......d...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I]Y.h....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V]Y.h....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V]Y.h....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V]Y.h..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V]Y.h...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........5........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\310eb96f-6507-4b40-9794-7f3c16309201.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D71BDD22C8BB93B8D287DCE6F46AED25
SHA1:	E14E7438ED45FF5DC2EA8F847854B2FDC2AFE1CF
SHA-256:	FCAB7FCC2B4CFFD9BB45003BFC2E468A04EF6F77CA8200A7341F027631584D25
SHA-512:	986E80D3693602BD03462D36785FE5B9D33B9D553CDE05ED59288D33E04BE9C166753056BB7B91D9EAC9FE4FC5CB45F00C71F0F0734C2B800AF109498C8C0A47
Malicious:	false
Reputation:	unknown
Preview:	PK

C:\Users\user\Downloads\430708bc-5d51-4007-a884-adff72db71f0.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	32126
Entropy (8bit):	7.993422661558212
Encrypted:	true
SSDEEP:
MD5:	6B7A1C0FF1B06FBAD5C9D0AF7D64CD57
SHA1:	9D433E705BBFE740581058A92B9853426C4D0C91
SHA-256:	004DDF345BC6D3B09C1AB9B169757B97A61E5E5F1BD182CC789FAB3F5A3DF82F
SHA-512:	50F30037875FAE86A70911AA46C7D66693DBB6BCD3FF67A7892BE8D39CAF869911441E65E2467B34298D2EF339FE7F27E4E8558EAD3D780D991B23C2D7656E57
Malicious:	false
Reputation:	unknown
Preview:	.........^\Yo..Y..%........upd2836a.bktP.[j....D...S.5..\|.l.<..Nu....7v.......;.....X.M...7!1.%Y..URE..E.ZZC....`.!{wd.q;j.^S.........m....e..m...m...ox...0...%...I.....]... ........G.b..4...P.....7w..81_y......$..P.......YI.a..I...I.....0..#W....A.._...)...M.5Z.x..s. .c.....D..a.../....M...;.+.Lm..7.....?..CFO...@...-..S.......]......Il....H..;Hw.@f...j.Q....V....+$(.......O<5....y.......&6.f?A.I..,c.!Hl.F..........7.A...i0f.h...Uv..}.`.s.8D=...q}QW..y.1..v..&.U.%.u.J....C...;..2B...t...=8x...(. Y(...O....0f.:....._....F....z@.:.q....p..y...`..{u.........0..UYAK....R...}"G......n.W.:R.Gs.~26R.5....i.@..........<.0l..tR.?.O,U......cPuV=...]X....V.B.".........=..nx.L.+..._...P.rV.>]......K.....[..S.v.....s.jm..r..P.. g......}..l82#..5. G..TV;..-... .Z.k.l..O.?T7aL....O.T..b].h3g.......R......Ap@......L^.u.].. a.).L...[.$..<...Y...-U.I..$b.P(.bEB....Q.E.Pf'.E<.`..uJ..P3...S...1#uwP.F..../..g..=\..,..aa..O..F..M..T.K.(..%)....

C:\Users\user\Downloads\kb641812-filter-pack-2024-1.dat (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	D71BDD22C8BB93B8D287DCE6F46AED25
SHA1:	E14E7438ED45FF5DC2EA8F847854B2FDC2AFE1CF
SHA-256:	FCAB7FCC2B4CFFD9BB45003BFC2E468A04EF6F77CA8200A7341F027631584D25
SHA-512:	986E80D3693602BD03462D36785FE5B9D33B9D553CDE05ED59288D33E04BE9C166753056BB7B91D9EAC9FE4FC5CB45F00C71F0F0734C2B800AF109498C8C0A47
Malicious:	false
Reputation:	unknown
Preview:	PK

C:\Users\user\Downloads\kb641812-filter-pack-2024-1.dat.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	D71BDD22C8BB93B8D287DCE6F46AED25
SHA1:	E14E7438ED45FF5DC2EA8F847854B2FDC2AFE1CF
SHA-256:	FCAB7FCC2B4CFFD9BB45003BFC2E468A04EF6F77CA8200A7341F027631584D25
SHA-512:	986E80D3693602BD03462D36785FE5B9D33B9D553CDE05ED59288D33E04BE9C166753056BB7B91D9EAC9FE4FC5CB45F00C71F0F0734C2B800AF109498C8C0A47
Malicious:	false
Reputation:	unknown
Preview:	PK

C:\Users\user\Downloads\kb641812-filter-pack-2024-2.dat (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	D045CDCB9ADD8AA1589D4B7D7706FC90
SHA1:	993C3CAD484CE7D87FFAABF7F4972B7768E926E9
SHA-256:	F8DB759E79C6D9873327AA34EEC0431255D319ED15323BC67CEBD9CFD781284F
SHA-512:	B600DA1819DA42EFA5BC128FD762F35C90BE7FB47B41B7E9795ED35C5202F61A61CD72A40DFB2489902CA8BA317EBF60A5B4946274EAEDD97A944BDC363816BC
Malicious:	false
Reputation:	unknown
Preview:	.........^\Yo..Y..%........upd2836a.bktP.[j....D...S.5..\|.l.<..Nu....7v.......;.....X.M...7!1.%Y..URE..E.ZZC....`.!{wd.q;j.^S.........m....e..m...m...ox...0...%...I.....]... ........G.b..4...P.....7w..81_y......$..P.......YI.a..I...I.....0..#W....A.._...)...M.5Z.x..s. .c.....D..a.../....M...;.+.Lm..7.....?..CFO...@...-..S.......]......Il....H..;Hw.@f...j.Q....V....+$(.......O<5....y.......&6.f?A.I..,c.!Hl.F..........7.A...i0f.h...Uv..}.`.s.8D=...q}QW..y.1..v..&.U.%.u.J....C...;..2B...t...=8x...(. Y(...O....0f.:....._....F....z@.:.q....p..y...`..{u.........0..UYAK....R...}"G......n.W.:R.Gs.~26R.5....i.@..........<.0l..tR.?.O,U......cPuV=...]X....V.B.".........=..nx.L.+..._...P.rV.>]......K.....[..S.v.....s.jm..r..P.. g......}..l82#..5. G..TV;..-... .Z.k.l..O.?T7aL....O.T..b].h3g.......R......Ap@......L^.u.].. a.).L...[.$..<...Y...-U.I..$b.P(.bEB....Q.E.Pf'.E<.`..uJ..P3...S...1#uwP.F..../..g..=\..,..aa..O..F..M..T.K.(..%)....

C:\Users\user\Downloads\kb641812-filter-pack-2024-2.dat.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	2478742
Entropy (8bit):	7.999935948017468
Encrypted:	true
SSDEEP:
MD5:	D045CDCB9ADD8AA1589D4B7D7706FC90
SHA1:	993C3CAD484CE7D87FFAABF7F4972B7768E926E9
SHA-256:	F8DB759E79C6D9873327AA34EEC0431255D319ED15323BC67CEBD9CFD781284F
SHA-512:	B600DA1819DA42EFA5BC128FD762F35C90BE7FB47B41B7E9795ED35C5202F61A61CD72A40DFB2489902CA8BA317EBF60A5B4946274EAEDD97A944BDC363816BC
Malicious:	false
Reputation:	unknown
Preview:	.........^\Yo..Y..%........upd2836a.bktP.[j....D...S.5..\|.l.<..Nu....7v.......;.....X.M...7!1.%Y..URE..E.ZZC....`.!{wd.q;j.^S.........m....e..m...m...ox...0...%...I.....]... ........G.b..4...P.....7w..81_y......$..P.......YI.a..I...I.....0..#W....A.._...)...M.5Z.x..s. .c.....D..a.../....M...;.+.Lm..7.....?..CFO...@...-..S.......]......Il....H..;Hw.@f...j.Q....V....+$(.......O<5....y.......&6.f?A.I..,c.!Hl.F..........7.A...i0f.h...Uv..}.`.s.8D=...q}QW..y.1..v..&.U.%.u.J....C...;..2B...t...=8x...(. Y(...O....0f.:....._....F....z@.:.q....p..y...`..{u.........0..UYAK....R...}"G......n.W.:R.Gs.~26R.5....i.@..........<.0l..tR.?.O,U......cPuV=...]X....V.B.".........=..nx.L.+..._...P.rV.>]......K.....[..S.v.....s.jm..r..P.. g......}..l82#..5. G..TV;..-... .Z.k.l..O.?T7aL....O.T..b].h3g.......R......Ap@......L^.u.].. a.).L...[.$..<...Y...-U.I..$b.P(.bEB....Q.E.Pf'.E<.`..uJ..P3...S...1#uwP.F..../..g..=\..,..aa..O..F..M..T.K.(..%)....

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	268
Entropy (8bit):	5.266720197065598
Encrypted:	false
SSDEEP:
MD5:	07ED53E5CB9AEA015027F77F4A78F322
SHA1:	F55D59C737F111E2798AA77B03760B73E5F59294
SHA-256:	B53FAB0A3F1ECF9B81B4B916A3F7B82109D37EA1A5B7F3578FF9CFAE306CA913
SHA-512:	7403F2E2291F95DDAC8E7BB16302FA5B00189FC1CC7BB7C8583829363495A5F73DD30C651C126C8C5BD165E377A72FE8E2BA53EA07B6023821664D3F2A72A560
Malicious:	false
Reputation:	unknown
URL:	http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions
Preview:	.<?xml version="1.0" encoding="utf-8"?><Error><Code>AccountRequiresHttps</Code><Message>The account being accessed does not support http..RequestId:a5edc3d4-801e-009c-5e03-2a481c000000.Time:2024-10-29T13:06:40.8679841Z</Message><AccountName>ofu</AccountName></Error>

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	268
Entropy (8bit):	5.280257222785128
Encrypted:	false
SSDEEP:
MD5:	9125C3F2747E427BD36EBBD5CAF5F5FA
SHA1:	A343FDF8E4747C0F53F26ECF3A4D306B1A2F761D
SHA-256:	0B50BEBC3898B97BF1AF6E8BBA9FFBD8B877D9F3F9F2E9D98FC76BA6F66A8030
SHA-512:	3C1567F59D0C418BA2B7863E76BF1CDE623976B0BA8BBC4D201EF26C0A919A5BEAAD54DCDAFCB8CE5453DFC065E9204E9261F8561FC9CF3E623D3ED233119C44
Malicious:	false
Reputation:	unknown
URL:	http://ofu.blob.core.windows.net/favicon.ico
Preview:	.<?xml version="1.0" encoding="utf-8"?><Error><Code>AccountRequiresHttps</Code><Message>The account being accessed does not support http..RequestId:a5edc4bc-801e-009c-2f03-2a481c000000.Time:2024-10-29T13:06:41.2377999Z</Message><AccountName>ofu</AccountName></Error>

Chrome Cache Entry: 69

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (21826)
Category:	downloaded
Size (bytes):	58164
Entropy (8bit):	5.87977500745886
Encrypted:	false
SSDEEP:
MD5:	7C4C9D4D5D19B18FE0CC284A02B0E84D
SHA1:	BF22EE3149184FE732A0B5FFD7F47DC017500BC9
SHA-256:	ABB9F15BE660638C55A8BD20025CFF78CAFE01B1C41C0AEAE44AF2EAE1718FAA
SHA-512:	BD6E36BAFC7AEC59D50EF99CD2EB7FA187E7CA568BCC59252DB258BC79810E04F556449FC8C0A49A33C44061D12D029A5211ED974419E748A180CFBF476149B0
Malicious:	false
Reputation:	unknown
URL:	https://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions
Preview:	<!doctype html>.<html lang="en">.<head>. <meta charset="UTF-8">. <meta content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0". name="viewport">. <meta content="ie=edge" http-equiv="X-UA-Compatible">. <title>Filters Update</title>. <style>. body {. margin: 0;. box-sizing: border-box;. width: 100dvw;. height: 100dvh;. overflow: hidden;. font-size: 14px;. background: rgba(128, 128, 128, 0.43);. color: #000;. padding: 20px;. font-family: "Segoe UI Webfont", -apple-system, "Helvetica Neue", "Lucida Grande", "DejaVu Sans", "Roboto", "Ebrima", "Nirmala UI", "Gadugi", "Segoe Xbox Symbol", "Segoe UI Symbol", "Meiryo UI", "Khmer UI", "Tunga", "Lao UI", "Raavi", "Iskoola Pota", "Latha", "Leelawadee", "Microsoft YaHei UI", "Microsoft JhengHei UI", "Malgun Gothic", "Estrangelo Edessa", "Microsoft Himalaya", "Mic

Chrome Cache Entry: 70

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	226
Entropy (8bit):	5.264821194178761
Encrypted:	false
SSDEEP:
MD5:	87CF749E5A28046CB364282F1ED0C385
SHA1:	05D6556200CFE72F45256DDEC680F00DD38D421F
SHA-256:	1AAB7709BBDA1BF908C323D1AA2ADFFCB017B3917C0FA7651F09BEFD2EFF3658
SHA-512:	D51029B123EE82F0F02E1A30F19CE86D5B8F938B5423D28C9F3473ECD9B88FECD9680D2BB05AE96FE74236F9F62146771335EFF1C762AAA20033A5DF346B95D0
Malicious:	false
Reputation:	unknown
URL:	https://ofu.blob.core.windows.net/favicon.ico
Preview:	.<?xml version="1.0" encoding="utf-8"?><Error><Code>OutOfRangeInput</Code><Message>One of the request inputs is out of range..RequestId:b57822d7-201e-0071-3003-2a0351000000.Time:2024-10-29T13:07:04.9370641Z</Message></Error>

Static File Info

⊘No static file info

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\310eb96f-6507-4b40-9794-7f3c16309201.tmp

C:\Users\user\Downloads\430708bc-5d51-4007-a884-adff72db71f0.tmp

C:\Users\user\Downloads\kb641812-filter-pack-2024-1.dat (copy)

C:\Users\user\Downloads\kb641812-filter-pack-2024-1.dat.crdownload (copy)

C:\Users\user\Downloads\kb641812-filter-pack-2024-2.dat (copy)

C:\Users\user\Downloads\kb641812-filter-pack-2024-2.dat.crdownload

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Static File Info

Windows Analysis Report
http://ofu.blob.core.windows.net/ofu/f.html?f_pp=esosolutions