Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rockfon_Vmail_RDRUJND.svg

Overview

General Information

Sample name:Rockfon_Vmail_RDRUJND.svg
Analysis ID:1632554
MD5:f67d72971289d4a41cff88b5af2270d5
SHA1:a7a8426a7a67b466f7c7132d0509b941084c7a06
SHA256:d7c17b9e274b724ad1a8c385173b0beba9ba0b3132e7b4aa47d7b8a31698d2bb
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
AI detected suspicious Javascript
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 7524 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Rockfon_Vmail_RDRUJND.svg" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 7696 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2136,i,8163282999906994620,17082905935042266109,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2164 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 7552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-pre-read-main-dll --field-trial-handle=2136,i,8163282999906994620,17082905935042266109,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4444 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-08T08:02:36.560437+010020183161A Network Trojan was detected1.1.1.153192.168.2.454963UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected phishing page
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendJoe Sandbox AI: Score: 7 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'self-renewal.com' does not match the legitimate domain for Microsoft., The URL does not contain any recognizable elements related to Microsoft, which is suspicious., The presence of a generic domain name like 'self-renewal.com' is often used in phishing attempts to mislead users., The input field asking for an email to access voicemail is a common phishing tactic to collect personal information. DOM: 1.2.pages.csv
AI detected suspicious Javascript
Source: 0.1..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://self-renewal.com/vmail/?omnisendContactID=... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated URLs. The script decodes a URL and redirects the user to that URL with the user's email address as a query parameter, which could be used for malicious purposes such as phishing or credential theft. Additionally, the use of a worker URL with an encoded domain suggests an attempt to hide the true destination of the redirect. Overall, this script demonstrates a high level of suspicious and potentially malicious activity.
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: Number of links: 0
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: Title: Voicemail Notification does not match URL
Source: file:///C:/Users/user/Desktop/Rockfon_Vmail_RDRUJND.svgHTTP Parser: No favicon
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: No favicon
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: No favicon
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: No <meta name="author".. found
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: No <meta name="author".. found
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: No <meta name="copyright".. found
Source: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendHTTP Parser: No <meta name="copyright".. found
Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.4:49265 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox ViewIP Address: 64.31.7.182 64.31.7.182
Source: Joe Sandbox ViewIP Address: 172.64.145.78 172.64.145.78
Source: Joe Sandbox ViewASN Name: LIMESTONENETWORKSUS LIMESTONENETWORKSUS
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Network trafficSuricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.4:54963
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisend HTTP/1.1Host: self-renewal.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /wikipedia/commons/4/44/Microsoft_logo.svg HTTP/1.1Host: upload.wikimedia.orgConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://self-renewal.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: self-renewal.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://self-renewal.com/vmail/?omnisendContactID=67c5e7f4c595933e3a3810a6&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+rrfv+%2867ca30bea6c5f3a509edfc83%29&utm_medium=email&utm_source=omnisendAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /wikipedia/commons/4/44/Microsoft_logo.svg HTTP/1.1Host: upload.wikimedia.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global trafficDNS traffic detected: DNS query: yuv.soundestlink.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: self-renewal.com
Source: global trafficDNS traffic detected: DNS query: upload.wikimedia.org
Source: global trafficDNS traffic detected: DNS query: partey-plain-mouse-490f.dry-tooth-5302.workers.dev
Source: global trafficDNS traffic detected: DNS query: theperfumescollection.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: chromecache_68.1.drString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/4/44/Microsoft_logo.svg
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49267 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49267
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7524_320189594Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir7524_320189594Jump to behavior
Source: classification engineClassification label: mal52.phis.winSVG@37/9@74/7
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Packages\cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104Jump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Rockfon_Vmail_RDRUJND.svg"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2136,i,8163282999906994620,17082905935042266109,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2164 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-pre-read-main-dll --field-trial-handle=2136,i,8163282999906994620,17082905935042266109,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4444 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2136,i,8163282999906994620,17082905935042266109,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2164 /prefetch:3Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-pre-read-main-dll --field-trial-handle=2136,i,8163282999906994620,17082905935042266109,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4444 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions		1
Process Injection		11
Masquerading		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
File Deletion		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.