Edit tour

Windows Analysis Report
https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082

Overview

General Information

Sample URL:	https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082
Analysis ID:	1417339
Infos:

Detection

TechSupportScam

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Phishing site detected (based on favicon image match)

Yara detected TechSupportScam

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4324 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=1924,i,7475844512854562831,7743836703688787719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_98	JoeSecurity_TechSupportScam	Yara detected TechSupportScam	Joe Security

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_TechSupportScam	Yara detected TechSupportScam	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082

SlashNext: detection malicious, Label: Scareware type: Phishing & Social Engineering

Phishing

Phishing site detected (based on favicon image match)

Source: https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082

Matcher: Template: microsoft matched with high similarity

Yara detected TechSupportScam

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_98, type: DROPPED

Source: unknown	HTTPS traffic detected: 23.52.162.98:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.52.162.98:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.52.162.98
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /postback?format=img&sum={replace} HTTP/1.1Host: m03lm.rdtk.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://sdf37.z12.web.core.windows.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /get/script.js?referrer=https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082 HTTP/1.1Host: userstatics.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdf37.z12.web.core.windows.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_79.2.dr, chromecache_76.2.dr

String found in binary or memory: return b}sC.D="internal.enableAutoEventOnTimer";var Dc=ia(["data-gtm-yt-inspected-"]),uC=["www.youtube.com","www.youtube-nocookie.com"],vC,wC=!1; equals www.youtube.com (Youtube)

Source: chromecache_78.2.dr	String found in binary or memory: http://fontawesome.io
Source: chromecache_78.2.dr	String found in binary or memory: http://fontawesome.io/license
Source: chromecache_79.2.dr	String found in binary or memory: https://adservice.google.com/pagead/regclk
Source: chromecache_79.2.dr	String found in binary or memory: https://adservice.googlesyndication.com/pagead/regclk
Source: chromecache_93.2.dr	String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://cct.google/taggy/agent.js
Source: chromecache_81.2.dr	String found in binary or memory: https://ezgif.com/optimize
Source: chromecache_63.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_63.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: chromecache_63.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://pagead2.googlesyndication.com
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: chromecache_79.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect
Source: chromecache_79.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect?v=2&
Source: chromecache_93.2.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: chromecache_93.2.dr	String found in binary or memory: https://tagassistant.google.com/
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://td.doubleclick.net
Source: chromecache_76.2.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: chromecache_93.2.dr	String found in binary or memory: https://www.google-analytics.com/debug/bootstrap?id=
Source: chromecache_93.2.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: chromecache_93.2.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://www.google.com
Source: chromecache_93.2.dr	String found in binary or memory: https://www.google.com/ads/ga-audiences
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://www.googleadservices.com
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://www.googletagmanager.com
Source: chromecache_79.2.dr, chromecache_76.2.dr	String found in binary or memory: https://www.googletagmanager.com/a?
Source: chromecache_93.2.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: chromecache_98.2.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-126954833-1
Source: chromecache_76.2.dr	String found in binary or memory: https://www.googletagmanager.com/static/exp/keys.json
Source: chromecache_79.2.dr	String found in binary or memory: https://www.merchant-center-analytics.goog

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=1924,i,7475844512854562831,7743836703688787719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=1924,i,7475844512854562831,7743836703688787719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082	0%	Avira URL Cloud	safe
https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082	0%	Virustotal		Browse
https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082	100%	SlashNext	Scareware type: Phishing & Social Engineering

Source	Detection	Scanner	Link
userstatics.com	0%	Virustotal	Browse
m03lm.rdtk.io	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
wdc.rdtk.io	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
https://www.google.%/ads/ga-audiences	0%	URL Reputation	safe
https://www.merchant-center-analytics.goog	0%	URL Reputation	safe
https://cct.google/taggy/agent.js	0%	URL Reputation	safe
https://m03lm.rdtk.io/postback?format=img&sum={replace}	0%	Virustotal		Browse
https://m03lm.rdtk.io/postback?format=img&sum={replace}	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Antivirus Detection	Reputation
userstatics.com	172.67.208.186	true	false	0%, Virustotal, Browse	unknown
wdc.rdtk.io	207.244.126.81	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.31.106	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
m03lm.rdtk.io	unknown	unknown	false	0%, Virustotal, Browse	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	chromecache_79.2.dr, chromecache_76.2.dr	false		high
http://fontawesome.io	chromecache_78.2.dr	false		high
https://stats.g.doubleclick.net/g/collect	chromecache_79.2.dr	false		high
https://github.com/twbs/bootstrap/graphs/contributors)	chromecache_63.2.dr	false		high
https://www.google.com/ads/ga-audiences	chromecache_93.2.dr	false		high
https://www.google.%/ads/ga-audiences	chromecache_93.2.dr	false	URL Reputation: safe	low
https://td.doubleclick.net	chromecache_79.2.dr, chromecache_76.2.dr	false		high
https://github.com/twbs/bootstrap/blob/main/LICENSE)	chromecache_63.2.dr	false		high
https://www.merchant-center-analytics.goog	chromecache_79.2.dr	false	URL Reputation: safe	unknown
https://stats.g.doubleclick.net/g/collect?v=2&	chromecache_79.2.dr	false		high
https://tagassistant.google.com/	chromecache_93.2.dr	false		high
https://stats.g.doubleclick.net/j/collect	chromecache_93.2.dr	false		high
https://adservice.google.com/pagead/regclk	chromecache_79.2.dr	false		high
https://ampcid.google.com/v1/publisher:getClientId	chromecache_93.2.dr	false		high
https://getbootstrap.com/)	chromecache_63.2.dr	false		high
https://cct.google/taggy/agent.js	chromecache_79.2.dr, chromecache_76.2.dr	false	URL Reputation: safe	unknown
https://ezgif.com/optimize	chromecache_81.2.dr	false		high
http://fontawesome.io/license	chromecache_78.2.dr	false		high

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.31.106	www.google.com	United States	15169	GOOGLEUS	false
172.67.208.186	userstatics.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
207.244.126.81	wdc.rdtk.io	United States	30633	LEASEWEB-USA-WDCUS	false

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417339
Start date and time:	2024-03-29 01:25:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.phis.win@16/69@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	assembler source, ASCII text, with very long lines (1266)
Category:	downloaded
Size (bytes):	8998
Entropy (8bit):	5.073503499348402
Encrypted:	false
SSDEEP:	192:MsW6dQjSpBjOnVX/tDSIZG43JPxDgXhCvl3RQ29Pibt04gxNgS0IOLh:MQqjujSX/5SIZV3JPJnvRvdxaLF
MD5:	6EF2560453A7B6BFF8EA7EC4265A9816
SHA1:	1ED7044A0579BB751B10BA7353A36E9D208C659E
SHA-256:	A072681FF11D60E33EB625E1D75E828542F80C9362D905C3EB9626063E27B4CC
SHA-512:	9F5F4680B6B344291F675C0E164CE20BF1626CA5B6FB84681CACD439EA8FA1DC02C0E9D9DA1DE09090DF3346E29460FAA71BA5557639B1CAF0829C34BD99AD50
Malicious:	false
Reputation:	low
URL:	https://sdf37.z12.web.core.windows.net/werrx01USAHTML/css/styles.css
Preview:	body {. background: #fff;. -webkit-user-select: none;.-ms-user-select: none;.user-select: none;. /. background: url('bg.png');. background-repeat: no-repeat;. background-size: cover;. /.font-family: "Calibri", sans-serif;. overflow-y: hidden;. overflow-x: hidden;. }. .top {. padding-left: 10px;.. }..progress {.. width: 250px;..background: #d1d1d1;. height: 04px;..}...progress .progress__bar {. height: 100%;. width: 0%;. border-radius: 2px;. background-color: #3182be;. animation: fill-bar 6s 1;.}..@keyframes fill-bar {. from {width: 0%;}. to {width: 100%;}..}..textc {. color: grey;. font-size: 13px;.}..flex {. display: flex;.}..button {.background: #cccccc;.color: #000;.padding: 6px 32px;.text-align: center;.text-decoration: none;.display: inline-block;.font-size: 13px;.margin: 4px 2px;.cursor: pointer;.font-weight:350;..}.. .centerright img {. max-width: 100%;.}..centerright ul {. padding: 0;. list-style-type: none;.}..centerright ul {. columns: 3;.}..cente

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 77 x 63, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	920
Entropy (8bit):	7.724066066811572
Encrypted:	false
SSDEEP:	12:6v/7mB/l0/J6RqecpVWT8b+KOKdshUh+fawoZ0fIJJXTSpB9rXMnhiXy1wps22h:RLO5XWT8ahKdshUhgpuZTuB9rgiICw
MD5:	B0495EDE4C875843FEC037C794E9FF9A
SHA1:	C813AEFBA255A5CC53AEA7811F987CCB551C3128
SHA-256:	52B762D47C066E16300675D56CC359B504FFD3239438C96EB973864311BB7B79
SHA-512:	41C4F6A27BA85162C03B80AFB29CCE78F4F6BCED74D1249D4E8DECD53E9D9B52230CBC8321F7B579ED30C0285F75B9EECB14724D55DC2F4D4906BFDB2C2B75C3
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...M...?......=.H....sRGB.........gAMA......a.....PLTE..........................................\|......o..o.\|b..b.pV..W.fJ..T.c=..D..1..=.N9.K$..(..).<........3..0.~..x..z...$.\|...7..i..U..6..!....<......IDATx..m..@...I.R.Ff..;......p...?....:{...o....7.......(..k.B..`BdCZ..cp.Tz..E.....q.6.\._)Q....._.)..q....}....r.B.\|.q<.ZR,...v....:K.....e#.A/.o....p..]...j-..mu.p8....h\...>.....7!. u...JR.....V.N..Y..^a0..K5..... ......;p'!..'.R....Rx.L>....t-.......)....&%X.8.I......}.VZ....4..2`.=.n..6(.6..cpl.l.82..H[X.=..VH.e.c..r..Eom.Lm.+..F.r=..h..jn\l.-..../?e-.g.&..c...........9kB...].4..U....AK..::%3h........}..Tsw....P..+.M.vZ....d.......q'w.,t..a.~.<..:i;..$.O.O..4.Phig.F..=.......,.._..]....O~...+l.../y........I..,..........,..m.<9k/w...~..g:../.@...n.m#;...b..k..zD.....+.4..[..i"ma.pg.J...;..h^....2...y.lF7.(...C.W.V.nAor.......c.....IEND.B`.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32478)
Category:	downloaded
Size (bytes):	84817
Entropy (8bit):	5.373777901642572
Encrypted:	false
SSDEEP:	1536:AP1Wk7i6GUHdXXeyQazBu+4HhiO2Id0uJO1z6/A4fGAub0i4ULgGiyz4npa98Hrb:K4UdeJiz6UAIJ8pa98Hrb
MD5:	20C129BEDB4A26DB02FC0F54D026C3F5
SHA1:	093B9D2728788DE24A728742070A348B2848573F
SHA-256:	436ECC90FAB5ED1034B68A4A0E924E0132D93D9E7FB59B4FE23018EB7D9242C1
SHA-512:	1997641A1DBA92AF7C28FE67C14FC3F89C1E49BE14DD8A8903C3C5D4A4AAE6161B00BF37D02EDA6E8B45F88936C0A7871C1D465036D6F1D18C36ED8D419B78DE
Malicious:	false
Reputation:	low
URL:	https://sdf37.z12.web.core.windows.net/werrx01USAHTML/js/jquery.min.js
Preview:	/! jQuery v2.1.3 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.3",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,functi

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 01:26:01.705429077 CET	49675	443	192.168.2.4	173.222.162.32
Mar 29, 2024 01:26:02.939789057 CET	49678	443	192.168.2.4	104.46.162.224
Mar 29, 2024 01:26:11.320739031 CET	49675	443	192.168.2.4	173.222.162.32
Mar 29, 2024 01:26:11.489257097 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:11.489296913 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:11.489567995 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:11.543801069 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:11.543817043 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:11.585194111 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.585206032 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.585371971 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.585663080 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.585674047 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.684461117 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.684468985 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:11.684619904 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.684824944 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.684834957 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:11.794583082 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.808948040 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.808968067 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.809839010 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.809927940 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.811744928 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.811796904 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.860187054 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.860193014 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:11.878314018 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:11.878791094 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:11.902225971 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:11.925137997 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:11.925159931 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:11.925380945 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:11.971472025 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:11.979110003 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:11.979631901 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.979640961 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:11.980500937 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:11.980560064 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.981875896 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.981925964 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:11.982170105 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:11.982175112 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:12.031801939 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:12.075033903 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.080832958 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:12.080877066 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:12.080919027 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:12.085674047 CET	49749	443	192.168.2.4	207.244.126.81
Mar 29, 2024 01:26:12.085688114 CET	443	49749	207.244.126.81	192.168.2.4
Mar 29, 2024 01:26:12.116241932 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.240302086 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.240461111 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.240515947 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.244558096 CET	49742	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.244580984 CET	443	49742	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.343485117 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.343530893 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.343604088 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.352715969 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.352734089 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.691148996 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.691220045 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.811129093 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.811157942 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.811382055 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:12.818516970 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:12.864238024 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:13.056231976 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:13.056390047 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:13.056570053 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:13.057934999 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:13.057934999 CET	49750	443	192.168.2.4	23.52.162.98
Mar 29, 2024 01:26:13.057954073 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:13.057964087 CET	443	49750	23.52.162.98	192.168.2.4
Mar 29, 2024 01:26:16.232719898 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.232728004 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.232786894 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.233233929 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.233242989 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.433298111 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.433506966 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.433515072 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.434390068 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.434447050 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.435781956 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.435833931 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.436230898 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.436237097 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.477807045 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.848274946 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.848371983 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:16.848417997 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.856770992 CET	49775	443	192.168.2.4	172.67.208.186
Mar 29, 2024 01:26:16.856780052 CET	443	49775	172.67.208.186	192.168.2.4
Mar 29, 2024 01:26:21.803193092 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:21.803248882 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:26:21.803452969 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:23.257977962 CET	49747	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:26:23.258004904 CET	443	49747	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.524255037 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:11.524285078 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.524352074 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:11.524667025 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:11.524677992 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.731281042 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.732064962 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:11.732089996 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.732398033 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.733161926 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:11.733228922 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:11.774599075 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:21.732640982 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:21.732703924 CET	443	49798	142.250.31.106	192.168.2.4
Mar 29, 2024 01:27:21.732873917 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:23.310710907 CET	49798	443	192.168.2.4	142.250.31.106
Mar 29, 2024 01:27:23.310735941 CET	443	49798	142.250.31.106	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 01:26:06.761370897 CET	53	61188	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:06.826313972 CET	53	56536	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:07.472156048 CET	53	56888	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:11.487377882 CET	61618	53	192.168.2.4	1.1.1.1
Mar 29, 2024 01:26:11.487603903 CET	55020	53	192.168.2.4	1.1.1.1
Mar 29, 2024 01:26:11.535315990 CET	58666	53	192.168.2.4	1.1.1.1
Mar 29, 2024 01:26:11.535594940 CET	62188	53	192.168.2.4	1.1.1.1
Mar 29, 2024 01:26:11.582685947 CET	53	61618	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:11.583179951 CET	53	55020	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:11.629929066 CET	53	50127	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:11.666315079 CET	53	58666	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:11.681216002 CET	53	62188	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:14.331024885 CET	53	53650	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:16.133800983 CET	65026	53	192.168.2.4	1.1.1.1
Mar 29, 2024 01:26:16.133939028 CET	52452	53	192.168.2.4	1.1.1.1
Mar 29, 2024 01:26:16.231213093 CET	53	65026	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:16.232069016 CET	53	52452	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:16.955149889 CET	53	51754	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:25.042907000 CET	53	63461	1.1.1.1	192.168.2.4
Mar 29, 2024 01:26:33.483783960 CET	138	138	192.168.2.4	192.168.2.255
Mar 29, 2024 01:26:43.982242107 CET	53	55820	1.1.1.1	192.168.2.4
Mar 29, 2024 01:27:06.707426071 CET	53	60553	1.1.1.1	192.168.2.4
Mar 29, 2024 01:27:07.184096098 CET	53	50743	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-03-29 00:26:11 UTC	620	OUT	GET /postback?format=img&sum={replace} HTTP/1.1 Host: m03lm.rdtk.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://sdf37.z12.web.core.windows.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-03-29 00:26:12 UTC	158	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.2 Date: Fri, 29 Mar 2024 00:26:12 GMT Content-Type: application/json Content-Length: 73 Connection: close
2024-03-29 00:26:12 UTC	73	IN	Data Raw: 7b 22 73 74 61 74 75 73 22 3a 30 2c 22 6d 65 73 73 61 67 65 22 3a 22 69 6e 76 61 6c 69 64 20 61 74 74 72 69 62 75 74 69 6f 6e 20 70 61 72 61 6d 65 74 65 72 73 3a 20 76 61 6c 69 64 61 74 69 6f 6e 20 65 72 72 6f 72 22 7d Data Ascii: {"status":0,"message":"invalid attribution parameters: validation error"}

Timestamp	Bytes transferred	Direction	Data
2024-03-29 00:26:12 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-03-29 00:26:12 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=142983 Date: Fri, 29 Mar 2024 00:26:12 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-03-29 00:26:12 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-03-29 00:26:13 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DMGnYgAAAACXaXykPZuVRq4aV6pCkeO8U0pDRURHRTAzMTgAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=143016 Date: Fri, 29 Mar 2024 00:26:13 GMT Content-Length: 55 Connection: close X-CID: 2
2024-03-29 00:26:13 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-03-29 00:26:16 UTC	626	OUT	GET /get/script.js?referrer=https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082 HTTP/1.1 Host: userstatics.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://sdf37.z12.web.core.windows.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-03-29 00:26:16 UTC	810	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 00:26:16 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.1 Access-Control-Allow-Origin: https://sdf37.z12.web.core.windows.net Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: X-Requested-With,content-type Access-Control-Allow-Credentials: true CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gkpz249ViVQTDpWoXX%2FkoG2NW28Wo%2BSUfiNtAfEZV%2BWm4FFM3oeLnYcou46H4VuzmRzdEJvYMTMoo66XzKtT1jxriNLGycTv5bKUftdKNijeWW2WDcmmi0fRcoY4BFk9v1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86bbba3dddd85830-IAD alt-svc: h3=":443"; ma=86400
2024-03-29 00:26:16 UTC	139	IN	Data Raw: 38 35 0d 0a 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 22 73 63 72 69 70 74 22 29 2e 66 6f 72 45 61 63 68 28 65 3d 3e 7b 6e 65 77 20 52 65 67 45 78 70 28 61 74 6f 62 28 22 64 58 4e 6c 63 6e 4e 30 59 58 52 70 59 33 4d 75 59 32 39 74 22 29 29 2e 74 65 73 74 28 65 2e 73 72 63 29 26 26 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 65 29 7d 29 3b 0d 0a Data Ascii: 85document.querySelectorAll("script").forEach(e=>{new RegExp(atob("dXNlcnN0YXRpY3MuY29t")).test(e.src)&&document.body.removeChild(e)});
2024-03-29 00:26:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:26:03
Start date:	29/03/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	01:26:05
Start date:	29/03/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=1924,i,7475844512854562831,7743836703688787719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	01:26:07
Start date:	29/03/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 100

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Windows Analysis Report
https://sdf37.z12.web.core.windows.net/werrx01USAHTML/?bcda=1-855-314-9082

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre