IOC Report
https://www.hr-benefits.site/?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImZhMjk2ZDJmLTU4ZWQtNDYyMi05YzJmLWQ2MGRlODVjZThhMiIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYmU1ZTQxOGQtZmRiNi00N2IwLWF

loading gif

Files

File Path
Type
Category
Malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 14:04:30 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 14:04:30 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:56:51 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 14:04:30 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 14:04:30 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 14:04:30 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
dropped
Chrome Cache Entry: 100
ASCII text, with very long lines (15521), with no line terminators
downloaded
Chrome Cache Entry: 77
ASCII text, with very long lines (7975), with no line terminators
downloaded
Chrome Cache Entry: 78
HTML document, ASCII text
downloaded
Chrome Cache Entry: 79
Unicode text, UTF-8 text, with very long lines (32455)
downloaded
Chrome Cache Entry: 80
ASCII text, with very long lines (10160), with no line terminators
downloaded
Chrome Cache Entry: 81
PNG image data, 232 x 79, 8-bit/color RGBA, non-interlaced
dropped
Chrome Cache Entry: 82
ASCII text, with very long lines (9622), with no line terminators
downloaded
Chrome Cache Entry: 83
TrueType Font data, 19 tables, 1st "FFTM", 19 names, Microsoft, language 0x409, Copyright (c) 2008 by M\207rio Feliciano. All rights reserved.Flama MediumRegular3.000;FTF;2008;
downloaded
Chrome Cache Entry: 84
TrueType Font data, 19 tables, 1st "FFTM", 19 names, Microsoft, language 0x409, Copyright (c) 2008 by M\207rio Feliciano. All rights reserved.Flama BookRegular3.000;FTF;2008;Fl
downloaded
Chrome Cache Entry: 85
PNG image data, 200 x 198, 8-bit/color RGBA, non-interlaced
dropped
Chrome Cache Entry: 86
ASCII text, with very long lines (15718)
downloaded
Chrome Cache Entry: 87
HTML document, ASCII text
downloaded
Chrome Cache Entry: 88
TrueType Font data, 19 tables, 1st "FFTM", 19 names, Microsoft, language 0x409, Copyright (c) 2008 by M\207rio Feliciano. All rights reserved.Flama LightRegular3.000;FTF;2008;F
downloaded
Chrome Cache Entry: 89
PNG image data, 232 x 79, 8-bit/color RGBA, non-interlaced
downloaded
Chrome Cache Entry: 90
RIFF (little-endian) data, Web/P image
downloaded
Chrome Cache Entry: 91
PNG image data, 200 x 198, 8-bit/color RGBA, non-interlaced
downloaded
Chrome Cache Entry: 92
ASCII text, with very long lines (1021), with no line terminators
downloaded
Chrome Cache Entry: 93
Unicode text, UTF-8 text, with very long lines (32997), with no line terminators
downloaded
Chrome Cache Entry: 94
ASCII text, with very long lines (10255), with no line terminators
downloaded
Chrome Cache Entry: 95
Unicode text, UTF-8 text, with very long lines (47648), with CRLF, LF line terminators
downloaded
Chrome Cache Entry: 96
ASCII text, with very long lines (65447)
downloaded
Chrome Cache Entry: 97
ASCII text, with very long lines (53449)
downloaded
Chrome Cache Entry: 98
PNG image data, 32 x 32, 8-bit colormap, non-interlaced
dropped
Chrome Cache Entry: 99
ASCII text, with very long lines (59060)
downloaded
There are 21 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1708,i,8188062310035751016,12932038185904332002,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.hr-benefits.site/?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImZhMjk2ZDJmLTU4ZWQtNDYyMi05YzJmLWQ2MGRlODVjZThhMiIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYmU1ZTQxOGQtZmRiNi00N2IwLWFmZjItN2Y4ZTcxMjQ4ZmVhIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiZGlyZWN0X2RlbGl2ZXJ5Ijp0cnVlLCJpYXQiOjE3MTMyNzgzNjksImlzcyI6Imh0dHBzOi8vYXBwLnBoaXNodGhyZWF0LmNvbSIsImV4cCI6MTcyMTA1NDM2OX0.Qa0DWnRj-q6Y-9K9dNCNoX-fwlEkDB9HInaE65rddd0"

URLs

Name
IP
Malicious
https://www.hr-benefits.site/?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImZhMjk2ZDJmLTU4ZWQtNDYyMi05YzJmLWQ2MGRlODVjZThhMiIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYmU1ZTQxOGQtZmRiNi00N2IwLWFmZjItN2Y4ZTcxMjQ4ZmVhIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiZGlyZWN0X2RlbGl2ZXJ5Ijp0cnVlLCJpYXQiOjE3MTMyNzgzNjksImlzcyI6Imh0dHBzOi8vYXBwLnBoaXNodGhyZWF0LmNvbSIsImV4cCI6MTcyMTA1NDM2OX0.Qa0DWnRj-q6Y-9K9dNCNoX-fwlEkDB9HInaE65rddd0
https://staysafe.sophos.com/_static/??-eJzTLy/QzcxLzilNSS3WzyrWz01NyUxMzUnNTc0rQeEU5CRWphbp5qSmJyZX6uVm5uklFxfr6OPTDpRD5sM02efaGpobGpkbGJgbmgAARI0u2Q==
192.0.66.2
https://s0.wp.com/wp-content/mu-plugins/notes/admin-bar-v2.js?ver=13.1.3-202416-lite
192.0.77.32
https://staysafe.sophos.com/wp-content/themes/phishthreat/assets/fonts/flama-light-webfont.ttf
192.0.66.2
http://fontawesome.io
unknown
https://widgets.wp.com/3rd-party-cookie-check/complete.html
https://s0.wp.com/i/noticons/noticons.css?ver=13.1.3-202416-lite
192.0.77.32
https://staysafe.sophos.com/wp-content/themes/phishthreat/assets/images/sophos-logo.png
192.0.66.2
https://staysafe.sophos.com/wp-content/plugins/sensei/assets/dist/blocks/single-course.css?m=1706617386g
192.0.66.2
https://staysafe.sophos.com/wp-content/themes/phishthreat/assets/images/secondary-logo.png
192.0.66.2
https://staysafe.sophos.com/wp-content/themes/phishthreat/assets/fonts/flama-medium-webfont.ttf
192.0.66.2
https://staysafe.sophos.com/_static/??/wp-includes/css/dashicons.min.css,/wp-includes/css/admin-bar.min.css?m=1712700713
192.0.66.2
https://staysafe.sophos.com/wp-content/themes/phishthreat/assets/scripts/bundle.min.js?m=1693396320g
192.0.66.2
https://staysafe.sophos.com/wp-content/uploads/2018/05/cropped-sophos.png?w=32
192.0.66.2
https://staysafe.sophos.com/wp-includes/js/wp-emoji-release.min.js?ver=6.3.4
192.0.66.2
https://widgets.wp.com/3rd-party-cookie-check/index.html
192.0.77.32
https://s0.wp.com/wp-content/mu-plugins/notes/notes-common-lite.min.js?ver=13.1.3-202416-lite
192.0.77.32
https://staysafe.sophos.com/_static/??-eJzTLy/QzcxLzilNSS3WzwKiwtLUokoopZebmaeXVayjj0+Rbm5melFiSSpUsX2uraG5oZG5gYG5oUkWAK87IhY=
192.0.66.2
https://staysafe.sophos.com/_static/??/wp-content/themes/phishthreat/assets/css/master.min.css,/wp-content/mu-plugins/jetpack-13.1/css/jetpack.css?m=1712607690
192.0.66.2
https://s0.wp.com/wp-content/mu-plugins/notes/admin-bar-v2.css?ver=13.1.3-202416-lite
192.0.77.32
https://staysafe.sophos.com/wp-content/themes/phishthreat/assets/fonts/flama-book-webfont.ttf
192.0.66.2
https://staysafe.sophos.com/course/insider-threats_en-us/
https://staysafe.sophos.com/_static/??-eJyNj9EKwjAMRX/Imk2EPYnfMttspLbpTFplf2+RCRN0+JSHew43Fx6TIbahOFTwCo40wx3ZJYEaTSnMA4VQGZS8j8R7rzvYkARHrGyfkxgpnCniP9qqaxN3KRrB3s1ryibOyBmmUEZiBUVWJOhVMS/eJSR7VbCpiKJJJYe6CAZ5me5bnb8VlHk5v376gEyksQ5/7z3HU9u1h65puvbon0qYhpk=
192.0.66.2
https://staysafe.sophos.com/wp-includes/css/dist/block-library/style.min.css?m=1712700713g
192.0.66.2
http://fontawesome.io/license
unknown
There are 14 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
secure.gravatar.com
192.0.73.2
staysafe.sophos.com
192.0.66.2
lb.wordpress.com
192.0.78.12
www.google.com
142.251.15.104
widgets.wp.com
192.0.77.32
s0.wp.com
192.0.77.32
www.hr-benefits.site
176.34.132.70
www.sophos.com
unknown
v0.wordpress.com
unknown

IPs

IP
Domain
Country
Malicious
192.0.66.2
staysafe.sophos.com
United States
192.168.2.9
unknown
unknown
239.255.255.250
unknown
Reserved
192.0.77.32
widgets.wp.com
United States
176.34.132.70
www.hr-benefits.site
Ireland
142.251.15.104
www.google.com
United States

DOM / HTML

URL
Malicious
https://staysafe.sophos.com/?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImZhMjk2ZDJmLTU4ZWQtNDYyMi05YzJmLWQ2MGRlODVjZThhMiIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYmU1ZTQxOGQtZmRiNi00N2IwLWFmZjItN2Y4ZTcxMjQ4ZmVhIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiZGlyZWN0X2RlbGl2ZXJ5Ijp0cnVlLCJpYXQiOjE3MTMyNzgzNjksImlzcyI6Imh0dHBzOi8vYXBwLnBoaXNodGhyZWF0LmNvbSIsImV4cCI6MTcyMTA1NDM2OX0.Qa0DWnRj-q6Y-9K9dNCNoX-fwlEkDB9HInaE65rddd0
https://widgets.wp.com/3rd-party-cookie-check/complete.html
https://staysafe.sophos.com/?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImZhMjk2ZDJmLTU4ZWQtNDYyMi05YzJmLWQ2MGRlODVjZThhMiIsImNlbGwiOiJodHRwczovLzIxZzZqZnZoeTYuZXhlY3V0ZS1hcGkudXMtZWFzdC0yLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiYmU1ZTQxOGQtZmRiNi00N2IwLWFmZjItN2Y4ZTcxMjQ4ZmVhIiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiZGlyZWN0X2RlbGl2ZXJ5Ijp0cnVlLCJpYXQiOjE3MTMyNzgzNjksImlzcyI6Imh0dHBzOi8vYXBwLnBoaXNodGhyZWF0LmNvbSIsImV4cCI6MTcyMTA1NDM2OX0.Qa0DWnRj-q6Y-9K9dNCNoX-fwlEkDB9HInaE65rddd0#content
https://staysafe.sophos.com/course/insider-threats_en-us/