Edit tour

Windows Analysis Report
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js

Overview

General Information

Sample URL:	https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js
Analysis ID:	1417174
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sigma detected: WScript or CScript Dropper

Found WSH timer for Javascript or VBS script (likely evasive script)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6916 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 6276 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

wscript.exe (PID: 4588 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js", ProcessId: 4588, ProcessName: wscript.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3704, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1, ProcessId: 6916, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js", ProcessId: 4588, ProcessName: wscript.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 37.19.207.34:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: vd.trinitymedia.aiConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: vd.trinitymedia.ai

Source: wget.exe, 00000002.00000002.1607433296.0000000000A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vd.t=G
Source: wget.exe, 00000002.00000002.1607433296.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115
Source: wget.exe, 00000002.00000002.1607433296.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 37.19.207.34:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior

Source: classification engine

Classification label: sus23.win@5/2@1/1

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js"	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: wget.exe, 00000002.00000002.1607433296.0000000000A08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js"	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d0	0%	Avira URL Cloud	safe
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115	0%	Avira URL Cloud	safe
https://vd.t=G	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
staticvim.b-cdn.net	37.19.207.34	true	false		high
vd.trinitymedia.ai	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://vd.t=G	wget.exe, 00000002.00000002.1607433296.0000000000A00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d0	wget.exe, 00000002.00000002.1607433296.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	false	Avira URL Cloud: safe	unknown
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115	wget.exe, 00000002.00000002.1607433296.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.19.207.34	staticvim.b-cdn.net	Ukraine		31343	INTERTELECOMUA	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417174
Start date and time:	2024-03-28 18:02:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus23.win@5/2@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1193
Entropy (8bit):	4.1890900449616515
Encrypted:	false
SSDEEP:	24:xQT57EY2EYoxePgqbdNTFvXwuFoOKbdN9:C7OgQbdNTeuSOKbdN9
MD5:	6C65CD641E0E8ED3D3527B3E63098C35
SHA1:	456874CEDC8715A23DD6CD65BFC78EDBC2DC29F1
SHA-256:	9D5A67CCF7933149EB9D8A1E0BD80C13FDBBAD2B3A9855578495B754D9134DEF
SHA-512:	8D1424D044B73892E157B418692DA20691DD620424B6ADB2F6DC1B125F9EFB08902EBF765997B125FC71AF186687B9DF1DF4DB91E419F0094B83BE5598E5BB68
Malicious:	false
Reputation:	low
Preview:	--2024-03-28 18:03:36-- https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js..Resolving vd.trinitymedia.ai (vd.trinitymedia.ai)... 37.19.207.34..Connecting to vd.trinitymedia.ai (vd.trinitymedia.ai)\|37.19.207.34\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 399942 (391K) [application/javascript]..Saving to: 'C:/Users/user/Desktop/download/trinity-player.js'.... 0K .......... .......... .......... .......... .......... 12% 253K 1s.. 50K .......... .......... .......... .......... .......... 25% 684K 1s.. 100K .......... .......... .......... .......... .......... 38% 1.05M 1s.. 150K .......... .......... .......... .......... .......... 51% 1.42M 0s.. 200K .......... .......... .......... .......... .......... 64% 1.71M 0s.. 250K .......... .......... .......... .......... .......... 76% 2.11M 0s.. 300K .......... .......... .......... .......... .......... 89% 1.35M 0s

C:\Users\user\Desktop\download\trinity-player.js

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	399942
Entropy (8bit):	5.483418741782169
Encrypted:	false
SSDEEP:	6144:zWkjf1QirKNQ4UoDWhm9q58DzI71ZyNQt9xFTduDlU/gqb/JGZ69KFFW3xpcl8c:yNKKNQ4ZDWhm0yDzC1ZyNQR/y8c
MD5:	81F00BB1F52510697DB4512C7A5E2766
SHA1:	B27DAC316A6EAF1F0E7E75D475053C1D15A4793A
SHA-256:	ABBF1D84370ABCD71CA1EDAA45EDE3A7042A74A5476C9CCDD0DBF656DA8B6300
SHA-512:	188BFB541FDCAACBD5699B8E792B6F27F2E27C477F726A4088A55B59365F61D4DF9E69092534DB0B5B9D1A37FC57B73BF4FB5F1835DC7EA57F15770727008D0B
Malicious:	true
Reputation:	low
Preview:	!function(){var e,t,n,s,i={1987:function(e){var t={utf8:{stringToBytes:function(e){return t.bin.stringToBytes(unescape(encodeURIComponent(e)))},bytesToString:function(e){return decodeURIComponent(escape(t.bin.bytesToString(e)))}},bin:{stringToBytes:function(e){for(var t=[],n=0;n<e.length;n++)t.push(255&e.charCodeAt(n));return t},bytesToString:function(e){for(var t=[],n=0;n<e.length;n++)t.push(String.fromCharCode(e[n]));return t.join("")}}};e.exports=t},9919:function(e){var t,n;t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",n={rotl:function(e,t){return e<<t\|e>>>32-t},rotr:function(e,t){return e<<32-t\|e>>>t},endian:function(e){if(e.constructor==Number)return 16711935&n.rotl(e,8)\|4278255360&n.rotl(e,24);for(var t=0;t<e.length;t++)e[t]=n.endian(e[t]);return e},randomBytes:function(e){for(var t=[];e>0;e--)t.push(Math.floor(256*Math.random()));return t},bytesToWords:function(e){for(var t=[],n=0,s=0;n<e.length;n++,s+=8)t[s>>>5]\|=e[n]<<24-s%32;return t},wordsToBytes:funct

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 18:03:37.016077042 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.016120911 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.016305923 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.017869949 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.017883062 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.219908953 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.220026970 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.221740007 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.221756935 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.222009897 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.222863913 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.264247894 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.402021885 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.441617012 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.441634893 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.441708088 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.441736937 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.441795111 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.519496918 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.519515991 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.519587994 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.519613981 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.519656897 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.565001965 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.565021992 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.565193892 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.565207958 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.565249920 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.601993084 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.602013111 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.602101088 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.602122068 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.602161884 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.626987934 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.627002954 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.627182961 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.627203941 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.627249002 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.647706032 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.647725105 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.647795916 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.647819996 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.647864103 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.671135902 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.671161890 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.671233892 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.671247959 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.671260118 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.671288967 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.690135956 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.690152884 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.690229893 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.690239906 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.690280914 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.707427025 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.707442999 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.707509041 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.707516909 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.707556009 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.721653938 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.721668959 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.721740961 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.721749067 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.721790075 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.733139992 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.733156919 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.733218908 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.733225107 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.733269930 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.745364904 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.745384932 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.745445013 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.745454073 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.745497942 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.754873037 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.754890919 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.754954100 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.754962921 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.755002975 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.765328884 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.765373945 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.765386105 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.765392065 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.765420914 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.765434980 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.774061918 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.774080992 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.774146080 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.774153948 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.774192095 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.783394098 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.783412933 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.783472061 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.783478975 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.783497095 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.783520937 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.791208029 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.791224003 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.791294098 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.791304111 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.791346073 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.798738956 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.798754930 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.798820972 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.798827887 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.798870087 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.806871891 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.806888103 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.806950092 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.806965113 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.807005882 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.813641071 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.813661098 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.813708067 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.813715935 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.813888073 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.813888073 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.821001053 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.821017027 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.821074009 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.821082115 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.821122885 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.827136040 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.827203035 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.827603102 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.827665091 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.834155083 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.834194899 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.834225893 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.834233046 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.834259987 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.834278107 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.839529991 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.839545965 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.839580059 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.839585066 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.839621067 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.839644909 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.842104912 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.842164040 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.842169046 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.842219114 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.842411995 CET	443	49730	37.19.207.34	192.168.2.4
Mar 28, 2024 18:03:37.842454910 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.858109951 CET	49730	443	192.168.2.4	37.19.207.34
Mar 28, 2024 18:03:37.858124971 CET	443	49730	37.19.207.34	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 18:03:36.909109116 CET	49351	53	192.168.2.4	1.1.1.1
Mar 28, 2024 18:03:37.009749889 CET	53	49351	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 28, 2024 18:03:36.909109116 CET	192.168.2.4	1.1.1.1	0x6d32	Standard query (0)	vd.trinitymedia.ai	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 28, 2024 18:03:37.009749889 CET	1.1.1.1	192.168.2.4	0x6d32	No error (0)	vd.trinitymedia.ai	staticvim.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 28, 2024 18:03:37.009749889 CET	1.1.1.1	192.168.2.4	0x6d32	No error (0)	staticvim.b-cdn.net		37.19.207.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

vd.trinitymedia.ai

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	37.19.207.34	443	6276	C:\Windows\SysWOW64\wget.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-28 17:03:37 UTC	287	OUT	GET /trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: vd.trinitymedia.ai Connection: Keep-Alive
2024-03-28 17:03:37 UTC	806	IN	HTTP/1.1 200 OK Date: Thu, 28 Mar 2024 17:03:37 GMT Content-Type: application/javascript Content-Length: 399942 Connection: close Vary: Accept-Encoding Server: BunnyCDN-ASB1-925 CDN-PullZone: 112690 CDN-Uid: acbc2e0b-1875-472e-93e7-be7f028b2851 CDN-RequestCountryCode: US Cache-Control: public, max-age=604800 ETag: "81f00bb1f52510697db4512c7a5e2766" Last-Modified: Tue, 26 Mar 2024 10:26:35 GMT x-amz-id-2: 5AwV1kK17Rp3d8f2A1eUCrm4jIueBtKwqBxMvlLeu97sUBUhso4EvppMpIiACYvl3JxuPrTPRPs= x-amz-request-id: QQRAAXH28C8JSNZ8 x-amz-version-id: QI29DaJiHxZLrBi2YN.q5aiYZOaTLnY1 CDN-ProxyVer: 1.04 CDN-RequestPullSuccess: True CDN-RequestPullCode: 200 CDN-CachedAt: 03/26/2024 10:33:57 CDN-EdgeStorageId: 925 CDN-Status: 200 CDN-RequestId: e3fc8e6f3d06bb0571ead526f69c6ef2 CDN-Cache: HIT
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 2c 74 2c 6e 2c 73 2c 69 3d 7b 31 39 38 37 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 75 74 66 38 3a 7b 73 74 72 69 6e 67 54 6f 42 79 74 65 73 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 74 2e 62 69 6e 2e 73 74 72 69 6e 67 54 6f 42 79 74 65 73 28 75 6e 65 73 63 61 70 65 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 65 29 29 29 7d 2c 62 79 74 65 73 54 6f 53 74 72 69 6e 67 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 65 73 63 61 70 65 28 74 2e 62 69 6e 2e 62 79 74 65 73 54 6f 53 74 72 69 6e 67 28 65 29 29 29 7d 7d 2c 62 69 6e 3a 7b 73 74 72 69 6e 67 54 6f 42 79 74 65 73 3a 66 75 6e 63 74 69 Data Ascii: !function(){var e,t,n,s,i={1987:function(e){var t={utf8:{stringToBytes:function(e){return t.bin.stringToBytes(unescape(encodeURIComponent(e)))},bytesToString:function(e){return decodeURIComponent(escape(t.bin.bytesToString(e)))}},bin:{stringToBytes:functi
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 74 6c 69 6e 65 2d 6f 66 66 73 65 74 3a 34 70 78 7d 2e 63 6d 70 2d 65 6c 2d 73 65 74 74 69 6e 67 73 20 2e 73 65 74 74 69 6e 67 73 2d 6c 61 6e 67 75 61 67 65 2d 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 61 69 6e 65 72 2d 77 72 61 70 70 65 72 20 2e 62 75 74 74 6f 6e 2e 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 34 44 34 44 34 44 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 34 44 34 44 34 44 7d 2e 63 6d 70 2d 65 6c 2d 73 65 74 74 69 6e 67 73 20 2e 73 65 74 74 69 6e 67 73 2d 6c 61 6e 67 75 61 67 65 2d 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 Data Ascii: tline-offset:4px}.cmp-el-settings .settings-language-wrapper .container-wrapper .button.active{background:#4D4D4D;color:#fff;border-color:#4D4D4D}.cmp-el-settings .settings-language-wrapper .container{display:-webkit-flex;display:flex;-webkit-justify-cont
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 6f 6e 63 61 74 28 69 29 29 2c 74 2e 70 75 73 68 28 64 29 29 7d 7d 2c 74 7d 7d 2c 31 36 30 31 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 65 5b 31 5d 7d 7d 2c 37 38 33 33 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 74 2e 66 6f 72 6d 61 74 41 72 67 73 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 74 5b 30 5d 3d 28 74 68 69 73 2e 75 73 65 43 6f 6c 6f 72 73 3f 22 25 63 22 3a 22 22 29 2b 74 68 69 73 2e 6e 61 6d 65 73 70 61 63 65 2b 28 74 68 69 73 2e 75 73 65 43 6f 6c 6f 72 73 3f 22 20 25 63 22 3a 22 20 22 29 2b 74 5b 30 5d 2b 28 74 68 69 73 2e 75 73 65 43 6f 6c 6f 72 73 3f 22 25 63 20 22 3a 22 20 22 29 2b 22 2b 22 2b 65 2e 65 78 70 Data Ascii: oncat(i)),t.push(d))}},t}},1601:function(e){"use strict";e.exports=function(e){return e[1]}},7833:function(e,t,n){t.formatArgs=function(t){if(t[0]=(this.useColors?"%c":"")+this.namespace+(this.useColors?" %c":" ")+t[0]+(this.useColors?"%c ":" ")+"+"+e.exp
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 74 68 69 73 2e 69 73 50 61 75 73 65 64 28 29 2c 6e 3d 74 68 69 73 2e 5f 67 65 74 45 76 65 6e 74 44 61 74 61 28 7b 69 73 52 65 73 75 6d 65 64 3a 74 2c 69 73 50 72 6f 67 72 61 6d 6d 61 74 69 63 61 6c 6c 79 3a 65 7d 29 3b 74 68 69 73 2e 5f 66 69 72 65 43 61 6c 6c 62 61 63 6b 28 74 3f 22 72 65 73 75 6d 65 22 3a 22 73 74 61 72 74 22 2c 6e 29 2c 74 68 69 73 2e 5f 75 70 64 61 74 65 53 74 61 74 65 28 64 2e 73 74 61 74 65 73 2e 50 4c 41 59 2c 6e 29 7d 63 61 74 63 68 28 65 29 7b 74 68 69 73 2e 65 76 65 6e 74 73 2e 6f 6e 45 72 72 6f 72 3f 2e 28 60 45 72 72 6f 72 20 77 68 69 6c 65 20 70 6c 61 79 69 6e 67 3a 20 24 7b 65 7d 60 29 7d 66 69 6e 61 6c 6c 79 7b 74 68 69 73 2e 69 73 50 6c 61 79 49 6e 50 72 6f 67 72 65 73 73 3d 21 31 7d 7d 7d 70 61 75 73 65 28 7b 69 73 50 72 Data Ascii: this.isPaused(),n=this._getEventData({isResumed:t,isProgrammatically:e});this._fireCallback(t?"resume":"start",n),this._updateState(d.states.PLAY,n)}catch(e){this.events.onError?.(`Error while playing: ${e}`)}finally{this.isPlayInProgress=!1}}}pause({isPr
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 65 2e 65 72 72 6f 72 29 7d 63 6f 6e 73 74 20 6e 3d 60 24 7b 74 68 69 73 2e 74 72 61 63 6b 55 52 4c 7d 3f 24 7b 74 2e 74 6f 53 74 72 69 6e 67 28 29 7d 60 2c 73 3d 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 7b 2e 2e 2e 65 2c 74 3a 74 68 69 73 2e 74 6f 70 69 63 7d 29 3b 69 66 28 65 2e 6b 69 6e 64 3d 3d 3d 72 2e 41 2e 6c 65 61 76 65 50 61 67 65 26 26 6e 61 76 69 67 61 74 6f 72 2e 73 65 6e 64 42 65 61 63 6f 6e 29 72 65 74 75 72 6e 20 6e 61 76 69 67 61 74 6f 72 2e 73 65 6e 64 42 65 61 63 6f 6e 28 6e 2c 73 29 3b 66 65 74 63 68 28 6e 2c 7b 6d 65 74 68 6f 64 3a 22 50 4f 53 54 22 2c 6d 6f 64 65 3a 74 68 69 73 2e 65 6e 61 62 6c 65 54 65 73 74 4d 6f 64 65 3f 76 6f 69 64 20 30 3a 22 6e 6f 2d 63 6f 72 73 22 2c 68 65 61 64 65 72 73 3a 7b 22 43 6f 6e 74 65 6e 74 2d 54 Data Ascii: e.error)}const n=`${this.trackURL}?${t.toString()}`,s=JSON.stringify({...e,t:this.topic});if(e.kind===r.A.leavePage&&navigator.sendBeacon)return navigator.sendBeacon(n,s);fetch(n,{method:"POST",mode:this.enableTestMode?void 0:"no-cors",headers:{"Content-T
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 3d 22 24 72 6f 6f 74 2e 72 65 77 69 6e 64 22 3e 3c 2f 63 6d 70 2d 65 6c 2d 72 65 77 69 6e 64 3e 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 65 6d 70 6c 61 74 65 3e 5c 6e 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6d 70 2d 65 6c 2d 72 65 77 69 6e 64 20 3a 74 61 62 69 6e 64 65 78 3d 22 35 30 22 20 74 79 70 65 3d 22 66 6f 72 77 61 72 64 22 20 40 72 65 77 69 6e 64 3d 22 24 72 6f 6f 74 2e 72 65 77 69 6e 64 22 3e 3c 2f 63 6d 70 2d 65 6c 2d 72 65 77 69 6e 64 3e 5c 6e 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 5c 6e 20 20 20 20 20 20 20 20 20 20 3c 63 6d 70 2d 65 6c 2d 73 70 65 65 64 20 3a 74 61 62 69 6e 64 65 78 3d 22 36 30 22 20 40 63 68 61 6e 67 65 3d 22 24 72 6f 6f 74 2e 73 65 74 53 70 65 65 64 22 3e 3c 2f 63 6d 70 2d 65 6c 2d 73 70 65 65 64 Data Ascii: ="$root.rewind"></cmp-el-rewind>\n </template>\n\n <cmp-el-rewind :tabindex="50" type="forward" @rewind="$root.rewind"></cmp-el-rewind>\n </div>\n <cmp-el-speed :tabindex="60" @change="$root.setSpeed"></cmp-el-speed
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 29 7b 66 6f 72 28 76 61 72 20 74 2c 6e 2c 73 3d 22 22 2c 69 3d 22 22 2c 72 3d 30 2c 61 3d 30 3b 6e 3d 65 2e 63 68 61 72 41 74 28 61 2b 2b 29 3b 7e 6e 26 26 28 74 3d 72 25 34 3f 36 34 2a 74 2b 6e 3a 6e 2c 72 2b 2b 25 34 29 3f 73 2b 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 32 35 35 26 74 3e 3e 28 2d 32 2a 72 26 36 29 29 3a 30 29 6e 3d 22 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 30 31 32 33 34 35 36 37 38 39 2b 2f 3d 22 2e 69 6e 64 65 78 4f 66 28 6e 29 3b 66 6f 72 28 76 61 72 20 6f 3d 30 2c 6c 3d 73 2e 6c 65 6e 67 74 68 3b 6f 3c 6c 3b 6f 2b 2b 29 69 2b 3d 22 25 22 2b 28 22 30 30 22 2b 73 2e 63 68 61 72 43 6f 64 65 41 74 28 Data Ascii: ){for(var t,n,s="",i="",r=0,a=0;n=e.charAt(a++);~n&&(t=r%4?64t+n:n,r++%4)?s+=String.fromCharCode(255&t>>(-2r&6)):0)n="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=".indexOf(n);for(var o=0,l=s.length;o<l;o++)i+="%"+("00"+s.charCodeAt(
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 74 2e 5f 5f 76 5f 69 73 52 65 66 3f 75 65 28 65 2c 74 2e 76 61 6c 75 65 29 3a 5f 28 74 29 3f 7b 5b 60 4d 61 70 28 24 7b 74 2e 73 69 7a 65 7d 29 60 5d 3a 5b 2e 2e 2e 74 2e 65 6e 74 72 69 65 73 28 29 5d 2e 72 65 64 75 63 65 28 28 28 65 2c 5b 74 2c 6e 5d 2c 73 29 3d 3e 28 65 5b 70 65 28 74 2c 73 29 2b 22 20 3d 3e 22 5d 3d 6e 2c 65 29 29 2c 7b 7d 29 7d 3a 53 28 74 29 3f 7b 5b 60 53 65 74 28 24 7b 74 2e 73 69 7a 65 7d 29 60 5d 3a 5b 2e 2e 2e 74 2e 76 61 6c 75 65 73 28 29 5d 2e 6d 61 70 28 28 65 3d 3e 70 65 28 65 29 29 29 7d 3a 43 28 74 29 3f 70 65 28 74 29 3a 21 78 28 74 29 7c 7c 62 28 74 29 7c 7c 44 28 74 29 3f 74 3a 53 74 72 69 6e 67 28 74 29 2c 70 65 3d 28 65 2c 74 3d 22 22 29 3d 3e 7b 76 61 72 20 6e 3b 72 65 74 75 72 6e 20 43 28 65 29 3f 60 53 79 6d 62 6f Data Ascii: t.__v_isRef?ue(e,t.value):_(t)?{[`Map(${t.size})`]:[...t.entries()].reduce(((e,[t,n],s)=>(e[pe(t,s)+" =>"]=n,e)),{})}:S(t)?{[`Set(${t.size})`]:[...t.values()].map((e=>pe(e)))}:C(t)?pe(t):!x(t)\|\|b(t)\|\|D(t)?t:String(t),pe=(e,t="")=>{var n;return C(e)?`Symbo
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 6e 28 75 2c 68 29 29 29 29 3a 28 75 2e 70 65 6e 64 69 6e 67 49 64 3d 52 6e 2b 2b 2c 79 3f 28 75 2e 69 73 48 79 64 72 61 74 69 6e 67 3d 21 31 2c 75 2e 61 63 74 69 76 65 42 72 61 6e 63 68 3d 66 29 3a 63 28 66 2c 69 2c 75 29 2c 75 2e 64 65 70 73 3d 30 2c 75 2e 65 66 66 65 63 74 73 2e 6c 65 6e 67 74 68 3d 30 2c 75 2e 68 69 64 64 65 6e 43 6f 6e 74 61 69 6e 65 72 3d 64 28 22 64 69 76 22 29 2c 67 3f 28 6c 28 6e 75 6c 6c 2c 70 2c 75 2e 68 69 64 64 65 6e 43 6f 6e 74 61 69 6e 65 72 2c 6e 75 6c 6c 2c 69 2c 75 2c 72 2c 61 2c 6f 29 2c 75 2e 64 65 70 73 3c 3d 30 3f 75 2e 72 65 73 6f 6c 76 65 28 29 3a 28 6c 28 6d 2c 68 2c 6e 2c 73 2c 69 2c 6e 75 6c 6c 2c 72 2c 61 2c 6f 29 2c 6a 6e 28 75 2c 68 29 29 29 3a 6d 26 26 6e 72 28 70 2c 6d 29 3f 28 6c 28 6d 2c 70 2c 6e 2c 73 2c Data Ascii: n(u,h)))):(u.pendingId=Rn++,y?(u.isHydrating=!1,u.activeBranch=f):c(f,i,u),u.deps=0,u.effects.length=0,u.hiddenContainer=d("div"),g?(l(null,p,u.hiddenContainer,null,i,u,r,a,o),u.deps<=0?u.resolve():(l(m,h,n,s,i,null,r,a,o),jn(u,h))):m&&nr(p,m)?(l(m,p,n,s,
2024-03-28 17:03:37 UTC	16384	IN	Data Raw: 74 3b 6c 65 74 20 61 3d 21 31 3b 63 6f 6e 73 74 20 6f 3d 69 2e 61 70 70 3d 7b 5f 75 69 64 3a 6e 69 2b 2b 2c 5f 63 6f 6d 70 6f 6e 65 6e 74 3a 6e 2c 5f 70 72 6f 70 73 3a 73 2c 5f 63 6f 6e 74 61 69 6e 65 72 3a 6e 75 6c 6c 2c 5f 63 6f 6e 74 65 78 74 3a 69 2c 5f 69 6e 73 74 61 6e 63 65 3a 6e 75 6c 6c 2c 76 65 72 73 69 6f 6e 3a 46 72 2c 67 65 74 20 63 6f 6e 66 69 67 28 29 7b 72 65 74 75 72 6e 20 69 2e 63 6f 6e 66 69 67 7d 2c 73 65 74 20 63 6f 6e 66 69 67 28 65 29 7b 7d 2c 75 73 65 3a 28 65 2c 2e 2e 2e 74 29 3d 3e 28 72 2e 68 61 73 28 65 29 7c 7c 28 65 26 26 77 28 65 2e 69 6e 73 74 61 6c 6c 29 3f 28 72 2e 61 64 64 28 65 29 2c 65 2e 69 6e 73 74 61 6c 6c 28 6f 2c 2e 2e 2e 74 29 29 3a 77 28 65 29 26 26 28 72 2e 61 64 64 28 65 29 2c 65 28 6f 2c 2e 2e 2e 74 29 29 29 Data Ascii: t;let a=!1;const o=i.app={_uid:ni++,_component:n,_props:s,_container:null,_context:i,_instance:null,version:Fr,get config(){return i.config},set config(e){},use:(e,...t)=>(r.has(e)\|\|(e&&w(e.install)?(r.add(e),e.install(o,...t)):w(e)&&(r.add(e),e(o,...t)))

Target ID:	0
Start time:	18:03:35
Start date:	28/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js" > cmdline.out 2>&1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:03:35
Start date:	28/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:03:35
Start date:	28/03/2024
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js"
Imagebase:	0x400000
File size:	3'895'184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:03:38
Start date:	28/03/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download\trinity-player.js"
Imagebase:	0x7ff7a9bf0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\trinity-player.js

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 6916, Parent PID: 3704

General

Chronological Activities

Analysis Process: conhost.exePID: 7028, Parent PID: 6916

General

Chronological Activities

Analysis Process: wget.exePID: 6276, Parent PID: 6916

General

Windows Analysis Report
https://vd.trinitymedia.ai/trinity-player/tts-player/20240326_55ac2d82cc134f115fe47a2f6d79101d1306d03c/trinity-player.js