Windows Analysis Report
https://tibusiness.cl/css/causarol.rar

Overview

General Information

Sample URL:	https://tibusiness.cl/css/causarol.rar
Analysis ID:	1430798
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Creates a process in suspended mode (likely to inject code)

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://tibusiness.cl/css/causarol.rar

Avira URL Cloud: detection malicious, Label: malware

Multi AV Scanner detection for domain / URL

Source: tibusiness.cl

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: https://tibusiness.cl/css/causarol.rar

Virustotal: Detection: 7%

Perma Link

Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.164.154.78:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49767 version: TLS 1.2

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 231MB

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: tibusiness.cl

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.164.154.78:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49767 version: TLS 1.2

Source: classification engine

Classification label: mal64.win@39/29@51/168

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\4fbd8bea-e86e-4a57-8c9b-97361d7823c6.tmp

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tibusiness.cl/css/causarol.rar
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1956,i,10049838071548152195,10765393653231979333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1956,i,10049838071548152195,10765393653231979333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint --attempting-deelevation -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2252 -prefMapHandle 2244 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5eb1523-d67a-4f2c-9328-429e02610989} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192a986dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26265 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22302d76-9aa3-40eb-ad3d-c2931e83a24d} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192bb7a5e10 rdd
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2252 -prefMapHandle 2244 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5eb1523-d67a-4f2c-9328-429e02610989} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192a986dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26265 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22302d76-9aa3-40eb-ad3d-c2931e83a24d} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192bb7a5e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5524 -prefMapHandle 5512 -prefsLen 33220 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb5457c-40ad-4060-bad4-8578c1cb24f4} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192c7085710 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5524 -prefMapHandle 5512 -prefsLen 33220 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb5457c-40ad-4060-bad4-8578c1cb24f4} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192c7085710 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: shdocvw.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sfc_os.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Drops PE files

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\OpenWith.exe TID: 7484

Thread sleep count: 173 > 30

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\OpenWith.exe

Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
44.233.67.78	unknown	United States	16509	AMAZON-02US	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
74.125.137.95	unknown	United States	15169	GOOGLEUS	false
18.164.154.78	services.addons.mozilla.org	United States	3	MIT-GATEWAYSUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	unknown	United States	15169	GOOGLEUS	false
142.251.2.84	unknown	United States	15169	GOOGLEUS	false
74.125.137.113	unknown	United States	15169	GOOGLEUS	false
142.251.2.94	unknown	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.237.239	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
186.64.116.245	tibusiness.cl	Chile	52368	ZAMLTDACL	true
52.25.6.244	unknown	United States	16509	AMAZON-02US	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.251.2.138	unknown	United States	15169	GOOGLEUS	false
34.117.188.166	prod.ads.prod.webservices.mozgcp.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.217.9.75	unknown	United States	16625	AKAMAI-ASUS	false
142.250.141.105	www.google.com	United States	15169	GOOGLEUS	false
142.250.101.94	unknown	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
127.0.0.1

Contacted Domains

Name	IP	Active
tibusiness.cl	186.64.116.245	true
example.org	93.184.215.14	true
star-mini.c10r.facebook.com	31.13.70.36	true
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true
twitter.com	104.244.42.65	true
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true
services.addons.mozilla.org	18.164.154.78	true
dyna.wikimedia.org	198.35.26.96	true
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true
contile.services.mozilla.com	34.117.237.239	true
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true
youtube-ui.l.google.com	142.251.2.136	true
reddit.map.fastly.net	151.101.65.140	true
ipv4only.arpa	192.0.0.171	true
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true
www.google.com	142.250.141.105	true
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true
www.reddit.com	unknown	unknown
spocs.getpocket.com	unknown	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown
firefox.settings.services.mozilla.com	unknown	unknown
push.services.mozilla.com	unknown	unknown
www.youtube.com	unknown	unknown
www.facebook.com	unknown	unknown
detectportal.firefox.com	unknown	unknown
shavar.services.mozilla.com	unknown	unknown
www.wikipedia.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://detectportal.firefox.com/canonical.html	false		high
http://detectportal.firefox.com/success.txt?ipv4	false		high

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1076d717-4027-4ef0-8728-ef91ec815ccd.json (copy)	JSON data	E07F09716DAD547CC983A9CDE463929B	D70C48AA771F88E3D8C7C46719BED24E2199E36D	AAAD84AC5E7C14DF01D474C01177B6C42E94BD6B662B380226DCB6FBBB98E7A0
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1076d717-4027-4ef0-8728-ef91ec815ccd.json.tmp	JSON data	E07F09716DAD547CC983A9CDE463929B	D70C48AA771F88E3D8C7C46719BED24E2199E36D	AAAD84AC5E7C14DF01D474C01177B6C42E94BD6B662B380226DCB6FBBB98E7A0
C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]	D910AD167F0217587501FDCDB33CC544	2F57441CEFDC781011B53C1C5D29AC54835AFC1D	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
C:\Users\user\AppData\Local\Temp\tmpaddon	Zip archive data, at least v2.0 to extract, compression method=deflate	85430BAED3398695717B0263807CF97C	FFFBEE923CEA216F50FCE5D54219A188A5100F41	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B4D488E51E7A621ABA86C9DF55A434A5	0C7B8E08E78BBCD3D072479346DA5FD2544D8516	6BFD82EE2E891EFE43A4897A8862E82DA5AA354E43AB0ECEEF2C07BDA11AFD01
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	0BD9874A55F39CB1C7AA6A3D29D4119D	1D3B239DC179B1A0AC0672D98EAF4B2175EAADDE	F4C41CDD88B769E1BC5D12AB68D22179A9C4923F8ED448B43FC53E2CBFE3566E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	70A600790E218EFE5FB797B521C18570	58A87AC14A74BA0C947C5AFA9C331C67013F0F0D	C4B0C110A711DC0ED4CF9EEDF963B745AADD8080C0B6FC8691F1202103C20DD7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B6F0EA99B3A5403054556989A0278119	915F8799A1F5601FDBD2FB278EC9CE8B09B46F92	90E5094B587EC109B00A30347E1C9289D447BC5EA999508E901CA1E8BDEDE246
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	8F8BB672F1DD542B156D2F19C57C106E	79F10A757E09B4F0E033276EF899694FEE4EBF0F	1CF8296726AEF9E549D43174501745B88FD816BE8A0571C60419281FAE7A38F4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Apr 24 04:35:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	9F1BE9D00ADD34D46A36F45C17FFE5A0	D78531D90AB4BED9EFF84561557408676B45F4FE	C42E65DB34F73E858F8CF3FEBD12DD158514BB43A0AE8D3CAD8FB8F16F08C65E
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json (copy)	JSON data	D952D51E05BCD6F749C9651340C35B28	CACF0BE74809121FA5CD870A53A46A343836109A	8981AF266E74D0E2A47EAA11918085ED191A47496085BC76BE8B845AD93FB83F
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json.tmp	JSON data	D952D51E05BCD6F749C9651340C35B28	CACF0BE74809121FA5CD870A53A46A343836109A	8981AF266E74D0E2A47EAA11918085ED191A47496085BC76BE8B845AD93FB83F
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4 (copy)	Mozilla lz4 compressed data, originally 23432 bytes	1B9C8056D3619CE5A8C59B0C09873F17	1015C630E1937AA63F6AB31743782ECB5D78CCD8	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4.tmp	Mozilla lz4 compressed data, originally 23432 bytes	1B9C8056D3619CE5A8C59B0C09873F17	1015C630E1937AA63F6AB31743782ECB5D78CCD8	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addons.json (copy)	JSON data	3088F0272D29FAA42ED452C5E8120B08	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addons.json.tmp	JSON data	3088F0272D29FAA42ED452C5E8120B08	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\crashes\store.json.mozlz4 (copy)	Mozilla lz4 compressed data, originally 56 bytes	A6338865EB252D0EF8FCF11FA9AF3F0D	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\crashes\store.json.mozlz4.tmp	Mozilla lz4 compressed data, originally 56 bytes	A6338865EB252D0EF8FCF11FA9AF3F0D	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\extensions.json (copy)	JSON data	5774E6BEEB8C63A660A4C37E130F7D30	B3F7B89A4A143BA839593F6368822C5E7C0FE20D	E2C331AEE64E1D381A7D9E579E7EB7236AFDE83239780D18945DE3152602E610
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\extensions.json.tmp	JSON data	5774E6BEEB8C63A660A4C37E130F7D30	B3F7B89A4A143BA839593F6368822C5E7C0FE20D	E2C331AEE64E1D381A7D9E579E7EB7236AFDE83239780D18945DE3152602E610
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FE3355639648C417E8307C6D051E3E37	F54602D4B4778DA21BC97C7238FC66AA68C8EE34	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	FE3355639648C417E8307C6D051E3E37	F54602D4B4778DA21BC97C7238FC66AA68C8EE34	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)	ASCII text	3D33CDC0B3D281E67DD52E14435DD04F	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp	ASCII text	3D33CDC0B3D281E67DD52E14435DD04F	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs-1.js	ASCII text, with very long lines (1717), with CRLF line terminators	43CC38553194DAA71EA823BE3D4DACFC	9C15258285E7A2475F9EB60EBDAE8AFA9B7B28F0	A06C3F5117096A297BC6DE14DD98BF4D4EBDE5B790F1B6B67B74611958E5A7F1
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js (copy)	ASCII text, with very long lines (1717), with CRLF line terminators	6C8E7C056D2CEEBE0F2A592E712054BE	468EC0E6A0FB09BC70B7A4EFCD4730651553ED3F	AC554915CCBB8EDA8C784C80CE73F2B9810B0ECA22D43E2B81BC215E507CC3EE
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json (copy)	JSON data	C4AB2EE59CA41B6D6A6EA911F35BDC00	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json.tmp	JSON data	C4AB2EE59CA41B6D6A6EA911F35BDC00	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.baklz4 (copy)	Mozilla lz4 compressed data, originally 6086 bytes	F6410D4A9485B1D21AF84E687BAA77BD	975015BE6ABF346D5017EBDE37EE2D47036960AF	8B58A226EC37C43C131B70AFE40739F4D93007C6A536792716BCCCD04D2E4518
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4 (copy)	Mozilla lz4 compressed data, originally 6086 bytes	F6410D4A9485B1D21AF84E687BAA77BD	975015BE6ABF346D5017EBDE37EE2D47036960AF	8B58A226EC37C43C131B70AFE40739F4D93007C6A536792716BCCCD04D2E4518
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4.tmp	Mozilla lz4 compressed data, originally 6180 bytes	CA8D004647DFFAA04AB30F609C5B497E	97CB0F752EC7B8BD45F2A2B8A2D04D7F475B2639	EBCB6E054A30D356A5FF6018A3BDE0621AEDF2F7688B28A1A2BF68C24F732515
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\targeting.snapshot.json (copy)	JSON data	BB0243BE58C92267B17A720B3A45745A	DD68E8A128969C6D7B5CC4BA48778AA802EA8E16	7CD8C301C86E50A630065CC3A5FC0FD2B42B408E8EDBFFE7D1B1EDE595A061E2
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\targeting.snapshot.json.tmp	JSON data	BB0243BE58C92267B17A720B3A45745A	DD68E8A128969C6D7B5CC4BA48778AA802EA8E16	7CD8C301C86E50A630065CC3A5FC0FD2B42B408E8EDBFFE7D1B1EDE595A061E2
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\xulstore.json (copy)	JSON data	74E2B5FEA591C1050CAD4BED0AFE0EA1	511B7F71B3F73354282145A5B5824BF13758F262	D59735F5C04F870A5E3E272CED57FCBA79E9EE309D228E6EF76D25057D902710
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\xulstore.json.tmp	JSON data	74E2B5FEA591C1050CAD4BED0AFE0EA1	511B7F71B3F73354282145A5B5824BF13758F262	D59735F5C04F870A5E3E272CED57FCBA79E9EE309D228E6EF76D25057D902710
C:\Users\user\Downloads\4fbd8bea-e86e-4a57-8c9b-97361d7823c6.tmp	RAR archive data, v5	800CC8DA5727AB35746C7BCA0C991E88	C3D55F6209824A4C01DAA3B0566E99786D13504E	781B1784E9704F41150647DB325A9166F2C044432D2252F353E999E9B5EEA9A8
C:\Users\user\Downloads\causarol.rar (copy)	RAR archive data, v5	3C0DEBFAC9CD948DD871927F2828BC11	E3013B4318AC5DF35AC2F9778A0806344F6CCA7D	D49412FA17ABD507BC7488956D72923CF697FF4C63FC5254963075548CD03763
C:\Users\user\Downloads\causarol.rar.crdownload	RAR archive data, v5	3C0DEBFAC9CD948DD871927F2828BC11	E3013B4318AC5DF35AC2F9778A0806344F6CCA7D	D49412FA17ABD507BC7488956D72923CF697FF4C63FC5254963075548CD03763

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://tibusiness.cl/css/causarol.rar

Avira URL Cloud: detection malicious, Label: malware

Multi AV Scanner detection for domain / URL

Source: tibusiness.cl

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: https://tibusiness.cl/css/causarol.rar

Virustotal: Detection: 7%

Perma Link

Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.164.154.78:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49767 version: TLS 1.2

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 231MB

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.214.98
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: tibusiness.cl

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.61.214.98:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.16:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.164.154.78:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.16:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.16:49767 version: TLS 1.2

Source: classification engine

Classification label: mal64.win@39/29@51/168

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\4fbd8bea-e86e-4a57-8c9b-97361d7823c6.tmp

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://tibusiness.cl/css/causarol.rar
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1956,i,10049838071548152195,10765393653231979333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1956,i,10049838071548152195,10765393653231979333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint --attempting-deelevation -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2252 -prefMapHandle 2244 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5eb1523-d67a-4f2c-9328-429e02610989} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192a986dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26265 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22302d76-9aa3-40eb-ad3d-c2931e83a24d} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192bb7a5e10 rdd
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2252 -prefMapHandle 2244 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5eb1523-d67a-4f2c-9328-429e02610989} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192a986dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26265 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22302d76-9aa3-40eb-ad3d-c2931e83a24d} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192bb7a5e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5524 -prefMapHandle 5512 -prefsLen 33220 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb5457c-40ad-4060-bad4-8578c1cb24f4} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192c7085710 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5524 -prefMapHandle 5512 -prefsLen 33220 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb5457c-40ad-4060-bad4-8578c1cb24f4} 7656 "\\.\pipe\gecko-crash-server-pipe.7656" 192c7085710 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: shdocvw.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sfc_os.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Drops PE files

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\OpenWith.exe TID: 7484

Thread sleep count: 173 > 30

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\OpenWith.exe

Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\causarol (1).rar"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation

ID:	1430798
Product:	CloudBasic
Start time:	07:34:38
Start date:	24.04.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://tibusiness.cl/css/causarol.rar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://tibusiness.cl/css/causarol.rar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://tibusiness.cl/css/causarol.rar