Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://www.carsoup.com/api/v1/connections/store?type=web_referrals&dealer_id=18689&redirect=https%3A%2F%2Flyn.bz/bbb

Overview

General Information

Sample URL:https://www.carsoup.com/api/v1/connections/store?type=web_referrals&dealer_id=18689&redirect=https%3A%2F%2Flyn.bz/bbb
Analysis ID:1504846

Detection

HTMLPhisher
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected phishing page
Yara detected HtmlPhish54
Phishing site detected (based on favicon image match)
Phishing site detected (based on image similarity)
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)
Detected non-DNS traffic on DNS port
Found iframes
HTML body contains low number of good links
HTML page contains hidden javascript code
HTML page contains obfuscated script src
Stores files to the Windows start menu directory

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 2992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.carsoup.com/api/v1/connections/store?type=web_referrals&dealer_id=18689&redirect=https%3A%2F%2Flyn.bz/bbb MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1864,i,15368383865682639495,9934645665720640044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
SourceRuleDescriptionAuthorStrings
7.10.id.script.csvJoeSecurity_HtmlPhish_54Yara detected HtmlPhish_54Joe Security
    7.6.pages.csvJoeSecurity_HtmlPhish_54Yara detected HtmlPhish_54Joe Security
      8.7.pages.csvJoeSecurity_HtmlPhish_54Yara detected HtmlPhish_54Joe Security
        8.9.pages.csvJoeSecurity_HtmlPhish_54Yara detected HtmlPhish_54Joe Security
          No Sigma rule has matched
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          Phishing

          barindex
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueLLM: Score: 8 Reasons: The URL '69x26piyt36.dcciss.es' seems to be a subdomain of 'dcciss.es', which is a domain with a top level domain of 'es'. The subdomain '69x26piyt36' appears to be randomly generated and does not seem to be related to the brand 'Microsoft'. The presence of a randomly generated subdomain and the mismatch between the brand and the domain suggests that this webpage may be a phishing attempt. The domain 'dcciss.es' does not match the legitimate domain associated with Microsoft, which is'microsoft.com'. DOM: 8.8.pages.csv
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueLLM: Score: 8 Reasons: The URL '69x26piyt36.dcciss.es' seems to be a subdomain of 'dcciss.es'. The subdomain appears to be randomly generated and does not seem to be related to the Microsoft brand. The top level domain 'es' is a country-code top-level domain for Spain, which is not the primary domain for Microsoft. The presence of a randomly generated subdomain and an unrelated top level domain suggests that this URL may be a phishing attempt or a fake login page. The brand name 'Microsoft' is displayed on the webpage, but the URL does not match the legitimate domain associated with the brand, which is a strong indicator of a phishing attempt. The design and content of the webpage are typical for a login page, but the unusual URL and lack of association with the legitimate domain make it likely that this is a phishing site. DOM: 8.9.pages.csv
          Source: Yara matchFile source: 7.10.id.script.csv, type: HTML
          Source: Yara matchFile source: 7.6.pages.csv, type: HTML
          Source: Yara matchFile source: 8.7.pages.csv, type: HTML
          Source: Yara matchFile source: 8.9.pages.csv, type: HTML
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueMatcher: Template: microsoft matched with high similarity
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueMatcher: Found strong image similarity, brand: MICROSOFT
          Source: https://www.lechato.org/fete-de-la-musique/HTTP Parser: async function decryptfunction(encryptedfunction, password, salt, iv) { const key = cryptojs.pbkdf2(password, cryptojs.enc.hex.parse(salt), { hasher: cryptojs.algo.sha512, keysize: 64 / 8, iterations: 999 }); const decrypted = cryptojs.aes.decrypt(encryptedfunction, key, { iv: cryptojs.enc.hex.parse(iv) }); return decrypted.tostring(cryptojs.enc.utf8); } (async () => { const encryptedfunction = 'rfd9sok3zd5pif/1guveeakkpntbyrja1peylm0rtqmgup0nvmdfm5ox0gfeqf1vtw0btkdajzmtdzfy31pspk3+amgzgjujvzcibackgjefjhubr4dxbygy8cuuue7ezf+ncgaujgmldxzlkklhk50rrzeofeapq8tu9qhwrouqjkzj0bx7+dxuur2ddvbeyw4ftwvuqzks3fknkyplsxkq2ffke38igcg1ia7mx2dpilolhe5iiyifi3hkadnauc6xhehjlgg02ybdwd3ttvmhat8pvvw4h6lo1/w19v/82mbco2l+xxgdvobbyn3zx1pvlrpylx5ox1ofcid9j5zccb0bklzgjzxdjjeb7kay6igol1h35sapdf03zt2dkjjwwsyp9lo0w/7bnlbkmu1cv+yntlrzjlpxtn57uv7nszx0adr07prluwhynolxfaqnuxqr/+xh2gy...
          Source: https://aeioserv.com/?dxsbslew=4bd9593421a57015640422350e1aa6edaf2842faeebf3471f8cb71ff9a7c0cf72d958210703aeeecaca183efea54034e2ca5b279275b5bc203d01ff4195ec97cHTTP Parser: async function c(encryptedfunction, password, salt, iv) { const key = cryptojs.pbkdf2(password, cryptojs.enc.hex.parse(salt), { hasher: cryptojs.algo.sha512, keysize: 64 / 8, iterations: 999 }); const b = cryptojs.aes.decrypt(encryptedfunction, key, { iv: cryptojs.enc.hex.parse(iv) }); return b.tostring(cryptojs.enc.utf8); } (async () => { const encryptedfunction = 'jtene3ratqqfye1dge+7ozcyfzs2lnlv1hhdi/l2pmewphry9t3pgow1jhoc+efwvvfhusihtmi8ncqfq2sqp9zgwhcf4yj+akt+3t0iczst+knwvjcxcogv5yvyx5qyx8fx9eydr9a9qesfvsrvu8yqju5dftzw6rjfsrubo1zaepacajebitbor7+evdmr72gtfpszr9fzawue2y8k+9vvy7jqlyhph8hxbsca3nb3pmo+ysfasp88a0sw3zgepgmswni/rnyk18pk9zmtqbuknxzjda8hqr9nrkijbin4i4rlsl7khli0717lsldk7pendkoxc23e3p/qkgpqwde0pg/kvmyxah3mp85ty/jms0+ohvchqfsuhuc4qzxa6jqily9xd0fgnf0vit1e3audaxxlqquq9wditwboazspzac5eeinr...
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: Iframe src: https://portal.microsoftonline.com/Prefetch/Prefetch.aspx
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: Iframe src: https://portal.microsoftonline.com/Prefetch/Prefetch.aspx
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: Number of links: 0
          Source: https://www.lechato.org/fete-de-la-musique/HTTP Parser: Base64 decoded: {"version":3,"sourceRoot":"/cfsetup_build/src/orchestrator/turnstile/templates","sources":["turnstile.scss"],"names":[],"mappings":"AAmCA;EACI;IACI;;;AAIR;EACI;IACI;;;AAIR;EACI;IAEI;;EAGJ;IACI;;;AAIR;EACI;IACI;;;AAIR;EACI;IACI;;;AAIR;EACI;IACI;;;AAIR;EACI...
          Source: https://69x26piyt36.dcciss.es/?auth=2HTTP Parser: Script src: data:text/javascript;base64,ZnVuY3Rpb24gYygpe2lmKCFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuYiIpIHx8ICFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuZyIpKXtkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKE9iamVjdC5hc3NpZ24oZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iikse2NsYXNzTGlzdDpbImIiXX
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: Script src: data:text/javascript;base64,ZnVuY3Rpb24gYygpe2lmKCFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuYiIpIHx8ICFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuZyIpKXtkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKE9iamVjdC5hc3NpZ24oZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iikse2NsYXNzTGlzdDpbImIiXX
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: Script src: data:text/javascript;base64,ZnVuY3Rpb24gYygpe2lmKCFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuYiIpIHx8ICFkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCIuZyIpKXtkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKE9iamVjdC5hc3NpZ24oZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iikse2NsYXNzTGlzdDpbImIiXX
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: <input type="password" .../> found
          Source: https://www.lechato.org/fete-de-la-musique/HTTP Parser: No favicon
          Source: https://www.lechato.org/fete-de-la-musique/HTTP Parser: No favicon
          Source: https://aeioserv.com/?dxsbslew=4bd9593421a57015640422350e1aa6edaf2842faeebf3471f8cb71ff9a7c0cf72d958210703aeeecaca183efea54034e2ca5b279275b5bc203d01ff4195ec97cHTTP Parser: No favicon
          Source: https://aeioserv.com/?dxsbslew=4bd9593421a57015640422350e1aa6edaf2842faeebf3471f8cb71ff9a7c0cf72d958210703aeeecaca183efea54034e2ca5b279275b5bc203d01ff4195ec97cHTTP Parser: No favicon
          Source: https://69x26piyt36.dcciss.es/?auth=2HTTP Parser: No favicon
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No favicon
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No favicon
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No favicon
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No <meta name="author".. found
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No <meta name="author".. found
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No <meta name="copyright".. found
          Source: https://69x26piyt36.dcciss.es/?auth=2&sso_reload=trueHTTP Parser: No <meta name="copyright".. found
          Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49736 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49738 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.16:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.16:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 51.11.168.232:443 -> 192.168.2.16:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 51.11.168.232:443 -> 192.168.2.16:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 51.11.168.232:443 -> 192.168.2.16:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:62174 version: TLS 1.2
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: global trafficTCP traffic: 192.168.2.16:63513 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: global trafficTCP traffic: 192.168.2.16:63513 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: global trafficTCP traffic: 192.168.2.16:63513 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: global trafficTCP traffic: 192.168.2.16:63513 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: global trafficTCP traffic: 192.168.2.16:63513 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: global trafficTCP traffic: 192.168.2.16:63513 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.16:62172 -> 162.159.36.2:53
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
          Source: global trafficDNS traffic detected: DNS query: www.carsoup.com
          Source: global trafficDNS traffic detected: DNS query: lyn.bz
          Source: global trafficDNS traffic detected: DNS query: www.lechato.org
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
          Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
          Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
          Source: global trafficDNS traffic detected: DNS query: aeioserv.com
          Source: global trafficDNS traffic detected: DNS query: 69x26piyt36.dcciss.es
          Source: global trafficDNS traffic detected: DNS query: aadcdn.msftauth.net
          Source: global trafficDNS traffic detected: DNS query: portal.microsoftonline.com
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62174
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
          Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
          Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
          Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63516 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 62174 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
          Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63516
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49736 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49738 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.16:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 40.126.32.136:443 -> 192.168.2.16:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 51.11.168.232:443 -> 192.168.2.16:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 51.11.168.232:443 -> 192.168.2.16:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 51.11.168.232:443 -> 192.168.2.16:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:62174 version: TLS 1.2
          Source: classification engineClassification label: mal68.phis.win@26/24@36/189
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.carsoup.com/api/v1/connections/store?type=web_referrals&dealer_id=18689&redirect=https%3A%2F%2Flyn.bz/bbb
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1864,i,15368383865682639495,9934645665720640044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1864,i,15368383865682639495,9934645665720640044,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting
          1
          Drive-by Compromise
          Windows Management Instrumentation1
          Scripting
          1
          Process Injection
          1
          Masquerading
          OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System2
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          Registry Run Keys / Startup Folder
          1
          Registry Run Keys / Startup Folder
          1
          Process Injection
          LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information
          Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.