Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\2cad7255-ef11-4d17-a149-cb7cbc0da973.tmp

data

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\4848847f-91c1-4e53-b8ed-35fa07f882ed.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\530b95db-01aa-4bf9-8717-dc92f8cdbc21.tmp

ASCII text, with very long lines, with no line terminators

modified

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

data

modified

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\0ca448c9-78d2-460b-9c92-ce1cc512665a.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\32a9dd66-c894-44c4-8624-a3edad10457a.tmp

UTF-8 Unicode text, with very long lines, with no line terminators

modified

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\6e77c6dd-2af4-4f57-a3d0-7721bcc1bc78.tmp

MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\75ec2c7c-8ea3-4d99-a90d-20e797765180.tmp

very short file (no magic)

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\7892608a-3318-4060-8b5f-327240587eb5.tmp

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\81525b54-71fd-427a-9ba9-bf7057bb00ae.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\81fbe44b-d8ee-4aae-9bdd-6ae85132d5bb.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\85412a21-56a5-45f0-bad0-80e2c58194b2.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico (copy)

MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache

data

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\Preferences (copy)

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (copy)

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\c580ce7c-653a-4d64-99a8-1fc899809a61.tmp

ASCII text, with no line terminators

modified

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\aa124b56-4f78-4ba5-94fa-b0cfa0122b79.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\b9c35b92-094a-442c-af34-b108b9a8340b.tmp

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000006.dbtmp

ASCII text

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT (copy)

ASCII text

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Default\e9e2db75-66d5-4f7e-a7bd-c324c0c86402.tmp

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Last Browser

data

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Last Version

ASCII text, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\Local State (copy)

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\e05789a2-3daf-4062-8dac-1827dbc15ed4.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\e67b92c7-a15c-44d6-bb1e-e59cd8228137.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Google\Chrome\User Data\fcc5d586-ccf0-4bc2-a2a6-ae982dfcd8a7.tmp

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\1576_1134994523\manifest.json

ASCII text

dropped

C:\Users\alfredo\AppData\Local\Temp\1576_1134994523\ssl_error_assistant.pb

data

dropped

C:\Users\alfredo\AppData\Local\Temp\25eb09e9-2886-4de2-8bde-0f87c16edbb5.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)

dropped

C:\Users\alfredo\AppData\Local\Temp\3ecff3c8-ba34-4dea-b8a0-895d33f6caea.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)

dropped

C:\Users\alfredo\AppData\Local\Temp\72e92281-8389-40f8-970f-816258898005.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)

dropped

C:\Users\alfredo\AppData\Local\Temp\b8a22276-17a0-4de0-b7ae-e846d4c03999.tmp

Google Chrome extension, version 3

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\bg\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\ca\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\cs\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\da\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\de\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\el\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\en\messages.json

ASCII text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\es\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\es_419\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\et\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\fi\messages.json

UTF-8 Unicode text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_locales\fil\messages.json

ASCII text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\_metadata\verified_contents.json

ASCII text, with very long lines, with no line terminators

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\craw_background.js

ASCII text, with very long lines

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\craw_window.js

ASCII text, with very long lines

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\css\craw_window.css

ASCII text

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\html\craw_window.html

HTML document, ASCII text

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\flapper.gif

GIF image data, version 89a, 30 x 30

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\icon_128.png

PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\icon_16.png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\topbar_floating_button.png

PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\topbar_floating_button_close.png

PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\topbar_floating_button_hover.png

PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\topbar_floating_button_maximize.png

PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\images\topbar_floating_button_pressed.png

PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\alfredo\AppData\Local\Temp\scoped_dir1576_1677723441\CRX_INSTALL\manifest.json

ASCII text, with CRLF line terminators

dropped

C:\Users\alfredo\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Little-endian UTF-16 Unicode text, with no line terminators

dropped

There are 52 hidden files, click here to show them.

URLs

Name

Malicious

https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=

Details

Filetype:	URL
Filename:	https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=

Signature Hits	Behavior Group	Mitre Attack
Phishing site detected (based on favicon image match)	Phishing	Extra Window Memory Injection
Yara detected HtmlPhish10	Phishing	Extra Window Memory Injection
Yara detected Captcha Phish	Phishing	Extra Window Memory Injection
Phishing site detected (based on image similarity)	Phishing	Extra Window Memory Injection
HTML body contains low number of good links	Phishing
Invalid T&C link found	Phishing
Suspicious form URL found	Phishing	Obfuscated Files or Information
No HTML title found	Phishing
Creates temporary files	System Summary
Performs DNS lookups	Networking	Non-Application Layer Protocol
Classification label	System Summary	Extra Window Memory Injection
Uses HTTPS	Networking	Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Spawns processes	System Summary	Process Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
META author tag missing	Phishing
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
META copyright tag missing	Phishing
Creates files inside the user directory	System Summary	Masquerading
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://w2globaldata.cabildodeagayu.com/1/main/

https://w2globaldata.cabildodeagayu.com/1/main/main.php

Details

Name:	https://w2globaldata.cabildodeagayu.com/1/main/main.php
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Phishing site detected (based on favicon image match)	Phishing
Phishing site detected (based on image similarity)	Phishing
HTML body contains low number of good links	Phishing
Invalid T&C link found	Phishing
No HTML title found	Phishing
Suspicious form URL found	Phishing	Obfuscated Files or Information
META author tag missing	Phishing
META copyright tag missing	Phishing

https://www.google.com/recaptcha/api2/bframe?hl=en&v=0aeEuuJmrVqDrEL39Fsg5-UJ&k=6LcJNLsfAAAAAFLIycbaJnhsCkE1TOU4w9VVo21f

https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LcJNLsfAAAAAFLIycbaJnhsCkE1TOU4w9VVo21f&co=aHR0cHM6Ly93Mmdsb2JhbGRhdGEuY2FiaWxkb2RlYWdheXUuY29tOjQ0Mw..&hl=en&v=0aeEuuJmrVqDrEL39Fsg5-UJ&size=normal&cb=qvdjcd90eylf

Domains

Name

Malicious

stackpath.bootstrapcdn.com

104.18.11.207

gstaticadssl.l.google.com

216.58.215.227

accounts.google.com

142.250.186.109

www.google.com

142.250.203.100

clients.l.google.com

142.250.185.238

w2globaldata.cabildodeagayu.com

190.8.176.18

Details

Name:	w2globaldata.cabildodeagayu.com
IP:	190.8.176.18
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection
Uses secure TLS version for HTTPS connections	Compliance, Networking

clients2.google.com

unknown

IPs

Domain

Country

Malicious

142.250.185.99

unknown

United States

142.250.203.106

unknown

United States

104.17.24.14

unknown

United States

192.168.2.1

unknown

104.18.10.207

unknown

United States

216.58.215.227

gstaticadssl.l.google.com

United States

142.250.203.100

www.google.com

United States

142.250.203.110

unknown

United States

142.250.185.238

clients.l.google.com

United States

142.250.185.227

unknown

United States

104.18.11.207

stackpath.bootstrapcdn.com

United States

142.250.186.109

accounts.google.com

United States

239.255.255.250

unknown

Reserved

65.9.63.90

unknown

United States

142.251.36.99

unknown

United States

190.8.176.18

w2globaldata.cabildodeagayu.com

Colombia

142.250.184.227

unknown

United States

127.0.0.1

unknown

74.125.162.166

unknown

United States

There are 9 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=

Files

URLs

Domains

IPs

IOC Report
https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=