Edit tour

Windows Analysis Report
https://271439.cobirosite.com/

Overview

General Information

Sample URL:	https://271439.cobirosite.com/
Analysis ID:	831016
Infos:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Antivirus detection for URL or domain

Phishing site detected (based on image similarity)

HTML body contains low number of good links

No HTML title found

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 3132 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)

chrome.exe (PID: 6316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://271439.cobirosite.com/ MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 6496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1784,i,8265395457072351684,11967616966742476966,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
13659.4.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+620; __Secure-ENID=6.SE=cJKCBuSaL1dV3R8z2Y2al7-m2m5bGA74lqbYYkqC3uy-NtZ1f6n_bCBr25tlnnjvdmLpGQ81ZKzP3Te5vVjpSQjYWCwvlOMApK7tmZNWcORu0p4wniPJGQfTslQNnpQWhG9qkwkEgy49-6UG3UQ1eiUyFolJZWLeUM1p4KvjM9E

Source: classification engine

Classification label: mal76.phis.win@28/39@14/15

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://271439.cobirosite.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1784,i,8265395457072351684,11967616966742476966,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1784,i,8265395457072351684,11967616966742476966,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://271439.cobirosite.com/	2%	Virustotal		Browse
https://271439.cobirosite.com/	0%	Avira URL Cloud	safe
https://271439.cobirosite.com/	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Source	Detection	Scanner	Label	Link
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/js/ctgkdx59njcppdwfbkcqjnwr5	100%	Avira URL Cloud	phishing
https://cct.google/taggy/agent.js	0%	URL Reputation	safe
https://cobiro.com/domains	0%	Avira URL Cloud	safe
https://271439.cobirosite.com/8306b64e-ea98-4158-8eee-204f0d79f12a.js	0%	Avira URL Cloud	safe
https://media.cobiro.com/error-page/under-construction-background.jpeg	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ASSETS/img/sig-op.svg	100%	Avira URL Cloud	phishing
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/styles/challenges.css	100%	Avira URL Cloud	phishing
https://media.cobiro.com/error-page/under-construction-background.jpeg	0%	Virustotal		Browse
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=1080px	0%	Avira URL Cloud	safe
https://media.cobiro.com/error-page/icon-advertising.svg	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ASSETS/img/m_.svg	100%	Avira URL Cloud	phishing
https://media.cobiro.com/error-page/logo-cobiro.svg	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/img/7ab1d8eda99635df/1679356121973/E7Dtgm4DKXspiM9	100%	Avira URL Cloud	phishing
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=400px	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/boot/9bcpwwjj5dtf5qkgnrpcncxdk	100%	Avira URL Cloud	phishing
https://cobiro.com/website	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ic/gcnpf5wpd5dqjkncwjkc9xtrb	100%	Avira URL Cloud	phishing
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=200px	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/images/trace/managed/js/transparent.gif?ray=7ab1d8eda99635df	100%	Avira URL Cloud	phishing
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/pat/7ab1d8eda99635df/1679356121974/e3b01c142e344330299c3d42ab192c2a0131b3d3e5fa078de4b6d2287145661e/Y8_NIB-7-_rheOk	100%	Avira URL Cloud	phishing
https://271439.cobirosite.com/8306b64e-ea98-4158-8eee-204f0d79f12a.css	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/flow/ov1/992221000:1679354830:2yQqRvlGN7S4gfDfO01nS-L4AqaibDzQpA12k-PJAhQ/7ab1d8eda99635df/8493bbc48a0427b	100%	Avira URL Cloud	phishing
https://cobiro.com/google-search/	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/jq/pktqpn5dbrxjwg5cfdkcw9cnj	100%	Avira URL Cloud	phishing
https://media.cobiro.com/assets/css/reset.css	0%	Avira URL Cloud	safe
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=1920px	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/APP-U5GPIZ/n5dwqncfktpw5cgpxkdrbjj9c	100%	Avira URL Cloud	phishing
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/favicon.ico	100%	Avira URL Cloud	phishing
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/scripts/pica.js	100%	Avira URL Cloud	phishing
https://media.cobiro.com/error-page/icon-build.svg	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/scripts/alpha/invisible.js?ts=1679342400	100%	Avira URL Cloud	phishing
https://www.merchant-center-analytics.goog/mc/collect	0%	Avira URL Cloud	safe
https://271439.cobirosite.com/favicon.ico	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=7ab1d8eda99635df	100%	Avira URL Cloud	phishing
https://media.cobiro.com/error-page/favicon.ico	0%	Avira URL Cloud	safe
https://media.cobiro.com/error-page/icon-domain.svg	0%	Avira URL Cloud	safe
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/x/p5cpkkdqgdr9jxbw5ncwfcjnt	100%	Avira URL Cloud	phishing
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/cv/result/7ab1d92a6fac9153	100%	Avira URL Cloud	phishing
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=2560px	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false	high
accounts.google.com	142.250.186.45	true	false	high
challenges.cloudflare.com	104.18.6.185	true	false	high
media.cobiro.com	52.222.214.9	true	false	unknown
www.google.com	142.250.186.100	true	false	high
hh0mtbdj9f64031a8f7f879.sigadi.ru	172.67.152.102	true	false	unknown
prod-router.cobiro.workers.dev	104.21.54.42	true	false	unknown
clients.l.google.com	172.217.18.14	true	false	high
clients2.google.com	unknown	unknown	false	high
271439.cobirosite.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/js/ctgkdx59njcppdwfbkcqjnwr5	true	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ID-6418f0e2af19b	true		unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/orchestrate/chl_api/v1?ray=7ab1d8feaeca691b	false		high
https://271439.cobirosite.com/8306b64e-ea98-4158-8eee-204f0d79f12a.js	true	Avira URL Cloud: safe	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/350hd/0x4AAAAAAAAjq6WYeRDKmebM/light/normal	false		high
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/1356602515:1679355110:EtCCJZINfDNVZaxY6meWZesT5skXLn1hf7eOmkFkgK0/7ab1d8feaeca691b/d1489ea3a7fd4ad	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ASSETS/img/sig-op.svg	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/styles/challenges.css	false	Avira URL Cloud: phishing	unknown
https://271439.cobirosite.com/	true		unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ASSETS/img/m_.svg	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/img/7ab1d8eda99635df/1679356121973/E7Dtgm4DKXspiM9	false	Avira URL Cloud: phishing	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/img/7ab1d8feaeca691b/1679356125509/jG-YDUWHZmJhn8N	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/boot/9bcpwwjj5dtf5qkgnrpcncxdk	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ic/gcnpf5wpd5dqjkncwjkc9xtrb	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/images/trace/managed/js/transparent.gif?ray=7ab1d8eda99635df	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/pat/7ab1d8eda99635df/1679356121974/e3b01c142e344330299c3d42ab192c2a0131b3d3e5fa078de4b6d2287145661e/Y8_NIB-7-_rheOk	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/flow/ov1/992221000:1679354830:2yQqRvlGN7S4gfDfO01nS-L4AqaibDzQpA12k-PJAhQ/7ab1d8eda99635df/8493bbc48a0427b	false	Avira URL Cloud: phishing	unknown
https://271439.cobirosite.com/8306b64e-ea98-4158-8eee-204f0d79f12a.css	true	Avira URL Cloud: safe	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/jq/pktqpn5dbrxjwg5cfdkcw9cnj	false	Avira URL Cloud: phishing	unknown
https://271439.cobirosite.com/	true		unknown
https://media.cobiro.com/assets/css/reset.css	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=1920px	false	Avira URL Cloud: safe	unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/APP-U5GPIZ/n5dwqncfktpw5cgpxkdrbjj9c	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/favicon.ico	false	Avira URL Cloud: phishing	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/scripts/pica.js	false	Avira URL Cloud: phishing	unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/350hd/0x4AAAAAAAAjq6WYeRDKmebM/light/normal	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/scripts/alpha/invisible.js?ts=1679342400	false	Avira URL Cloud: phishing	unknown
https://a.nel.cloudflare.com/report/v3?s=aW9%2Bxr3YkF8n%2BjbNQUdf8%2FimakRns%2FFsV18RkoMkMrXnKWpZBgXqqKzvkJ8WTbhK7t6McaTSaGJ%2BRJbi1WgQt%2Fr%2Bp%2Bk8HkVvn1oCaXxWXJ1Lremha4PFqmYZdWBxvgZqKrmmsKh2Jwk%3D	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/	false		unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ID-6418f0e2af19b	true		unknown
https://271439.cobirosite.com/favicon.ico	true	Avira URL Cloud: safe	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=7ab1d8eda99635df	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/	false		unknown
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/pat/7ab1d8feaeca691b/1679356125505/6415a47ceedad2f748ae19a20389c1e9e14e5b3caf157a609d3d00a4894680e9/s5Kp__OWAS8SxWr	false		high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/x/p5cpkkdqgdr9jxbw5ncwfcjnt	false	Avira URL Cloud: phishing	unknown
https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/cv/result/7ab1d92a6fac9153	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stats.g.doubleclick.net/g/collect	chromecache_167.8.dr	false		high
https://www.cloudflare.com/privacypolicy/	chromecache_171.8.dr	false		high
https://cobiro.com/domains	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/error-page/under-construction-background.jpeg	chromecache_177.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=1080px	chromecache_160.8.dr	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/iframe_api	chromecache_167.8.dr	false		high
https://github.com/twbs/bootstrap/graphs/contributors)	chromecache_181.8.dr	false		high
https://media.cobiro.com/error-page/icon-advertising.svg	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/error-page/logo-cobiro.svg	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=400px	chromecache_160.8.dr	false	Avira URL Cloud: safe	unknown
https://cobiro.com/website	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=200px	chromecache_160.8.dr	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/en-gb/products/turnstile/?utm_source=turnstile&utm_campaign=widget	chromecache_171.8.dr	false		high
https://cobiro.com/google-search/	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/website-terms/	chromecache_171.8.dr	false		high
https://googleads.g.doubleclick.net	chromecache_167.8.dr	false		high
https://getbootstrap.com/)	chromecache_181.8.dr	false		high
https://cct.google/taggy/agent.js	chromecache_167.8.dr	false	URL Reputation: safe	unknown
https://media.cobiro.com/error-page/icon-build.svg	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://www.merchant-center-analytics.goog/mc/collect	chromecache_167.8.dr	false	Avira URL Cloud: safe	unknown
https://td.doubleclick.net	chromecache_167.8.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_181.8.dr	false		high
https://stats.g.doubleclick.net/g/collect?v=2&	chromecache_167.8.dr	false		high
https://media.cobiro.com/error-page/favicon.ico	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/error-page/icon-domain.svg	chromecache_177.8.dr	false	Avira URL Cloud: safe	unknown
https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=2560px	chromecache_160.8.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.45	accounts.google.com	United States	15169	GOOGLEUS	false
172.217.18.14	clients.l.google.com	United States	15169	GOOGLEUS	false
52.109.13.64	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.18.4	unknown	United States	15169	GOOGLEUS	false
172.67.152.102	hh0mtbdj9f64031a8f7f879.sigadi.ru	United States	13335	CLOUDFLARENETUS	false
104.21.54.42	prod-router.cobiro.workers.dev	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.18.6.185	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
52.222.214.9	media.cobiro.com	United States	16509	AMAZON-02US	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
172.217.16.196	unknown	United States	15169	GOOGLEUS	false
52.109.76.141	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831016
Start date and time:	2023-03-21 00:47:56 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://271439.cobirosite.com/
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.phis.win@28/39@14/15
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe, WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 142.250.185.67, 34.104.35.123, 172.217.16.200, 216.239.34.36, 216.239.32.36, 142.250.185.138, 216.58.212.170, 142.250.185.234, 142.250.186.42, 142.250.184.234, 142.250.185.170, 142.250.185.202, 172.217.16.138, 142.250.186.170, 142.250.184.202, 142.250.186.138, 172.217.16.202, 142.250.186.106, 142.250.181.234, 142.250.186.74, 172.217.18.10, 142.250.186.67
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, content-autofill.googleapis.com, login.live.com, www.googletagmanager.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, region1.google-analytics.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	4096
Entropy (8bit):	4.069830629021194
Encrypted:	false
SSDEEP:	96:H+zvG2rF1/6uErqfJxnCqrCXwKyBr6VWB:H+zB
MD5:	CEA949B1EEA5087BB5475AE317402C50
SHA1:	7EE7E8C3F09F677F5B4525DBD7818DCAECECE141
SHA-256:	3E0CA6B05F2E961FA919E6852D111467334358AD9A072B184A66F3DE81B9CFC1
SHA-512:	C9238257D17E044E9CC67B7455F1A518830DEF269B836F540B91C40435A277EF0B14A4C6AFEEA0F555A8A798BE59F107630F61DFD4AB94805A98D70D50342819
Malicious:	false
Reputation:	low
Preview:	........(........A_..[..(........................... ...XM......8 ......X.......0...<......v.[..#.....C.L...0T.j................A..F.......................@.B:X.......0...<......v.[..#.....C.L...0T.j................H..F.........................$:X.......0...<......v.[..#.....C.L...0T.j................K..F..........................:X.......0...<......v.[..#.....C.L...0T.j...............aO..F..........................:X.......0...<......v.[..#.....C.L...0T.j................R..F..........................:X.......0...<......v.[..#.....C.L...0T.j................V..F..........................:X.......0...<......v.[..#.....C.L...0T.j................Y..F..........................:X.......0...<......v.[..#.....C.L...0T.j................\..F........................./:X.......0...<......v.[..#.....C.L...0T.j................_..F..........................:X.......0...<......v.[..#.....C.L...0T.j................b..F..........................:X.......0...<......v.[..#..*...C.L...0T.j.......

Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/js/ctgkdx59njcppdwfbkcqjnwr5	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ASSETS/img/sig-op.svg	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/styles/challenges.css	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ASSETS/img/m_.svg	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/img/7ab1d8eda99635df/1679356121973/E7Dtgm4DKXspiM9	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/boot/9bcpwwjj5dtf5qkgnrpcncxdk	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ic/gcnpf5wpd5dqjkncwjkc9xtrb	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/images/trace/managed/js/transparent.gif?ray=7ab1d8eda99635df	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/pat/7ab1d8eda99635df/1679356121974/e3b01c142e344330299c3d42ab192c2a0131b3d3e5fa078de4b6d2287145661e/Y8_NIB-7-_rheOk	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/flow/ov1/992221000:1679354830:2yQqRvlGN7S4gfDfO01nS-L4AqaibDzQpA12k-PJAhQ/7ab1d8eda99635df/8493bbc48a0427b	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/jq/pktqpn5dbrxjwg5cfdkcw9cnj	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/APP-U5GPIZ/n5dwqncfktpw5cgpxkdrbjj9c	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/favicon.ico	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/scripts/pica.js	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/scripts/alpha/invisible.js?ts=1679342400	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=7ab1d8eda99635df	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/x/p5cpkkdqgdr9jxbw5ncwfcjnt	Avira URL Cloud: Label: phishing
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/cdn-cgi/challenge-platform/h/g/cv/result/7ab1d92a6fac9153	Avira URL Cloud: Label: phishing

Source: https://sigadi.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_158.8.dr	Jump to dropped file
Source: https://sigadi.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_162.8.dr	Jump to dropped file
Source: https://sigadi.ru	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_179.8.dr	Jump to dropped file
Source: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/ID-6418f0e2af19b	Matcher: Found strong image similarity, brand: Microsoft image: 13659.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.13.64
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.76.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.76.141
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.13.64
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: chromecache_167.8.dr	String found in binary or memory: b,"vert.pix");break;case "PERCENT":Ay(d.verticalThresholds,b,"vert.pct")}zv("sdl","init",!1)?zv("sdl","pending",!1)\|\|J(function(){return By()}):(xv("sdl","init",!0),xv("sdl","pending",!0),J(function(){By();if(Cy()){var e=Dy();qc(z,"scroll",e);qc(z,"resize",e)}else xv("sdl","init",!1)}));return b}Hy.M="internal.enableAutoEventOnScroll";var cc=fa(["data-gtm-yt-inspected-"]),Iy=["www.youtube.com","www.youtube-nocookie.com"],Jy,Ky=!1; equals www.youtube.com (Youtube)
Source: chromecache_167.8.dr	String found in binary or memory: l=!!a.get("fixMissingApi");if(!(d\|\|e\|\|f\|\|g.length\|\|h.length))return;var n={Ff:d,Df:e,Ef:f,lg:g,mg:h,gd:l,Wa:b},p=z.YT,q=function(){Qy(n)};if(p)return p.ready&&p.ready(q),b;var r=z.onYouTubeIframeAPIReady;z.onYouTubeIframeAPIReady=function(){r&&r();q()};J(function(){for(var u=I.getElementsByTagName("script"),t=u.length,v=0;v<t;v++){var w=u[v].getAttribute("src");if(Ty(w,"iframe_api")\|\|Ty(w,"player_api"))return b}for(var y=I.getElementsByTagName("iframe"),x=y.length,A=0;A<x;A++)if(!Ky&&Ry(y[A],n.gd))return mc("https://www.youtube.com/iframe_api"), equals www.youtube.com (Youtube)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 23:48:38 GMTContent-Type: text/htmlContent-Length: 4525Connection: closeReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aW9%2Bxr3YkF8n%2BjbNQUdf8%2FimakRns%2FFsV18RkoMkMrXnKWpZBgXqqKzvkJ8WTbhK7t6McaTSaGJ%2BRJbi1WgQt%2Fr%2Bp%2Bk8HkVvn1oCaXxWXJ1Lremha4PFqmYZdWBxvgZqKrmmsKh2Jwk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab1d8d97fa22c19-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 23:48:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originPermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Frame-Options: SAMEORIGINCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=X9akr2oNGRo1v8kiTSa5wW4fI5sMH2RLVZmT6Z9aGDnjhsebhpW%2BKHNeLYlFjkpJFeQoX6SrgH6s1enXnaHX2TEIR1VOI9jconEqjAEkd2rpFAQ3iK2reQ37eoPGal0H2VB71BUSbTD5Vc5SRF3g2nBgxgw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab1d8eda99635df-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 23:48:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originPermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Frame-Options: SAMEORIGINCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yyzjMT1ryPblymlK4u%2Fi8iVj9609u2wkfQUXBS7T5eTNS20LZXDY4b%2BEQYdmY7kA%2FJmC4VLjN9oo%2BgTvODXDUcoV4SUtN6%2BbK3p29kwURB56lP4H0tsgRSn8EvP%2FDSqDjPtzkyidIq6McUE5l9Nk8kSKAJI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab1d8ef78b8994b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 23:48:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originPermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Frame-Options: SAMEORIGINCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WR1oKe1o0yj6X0xw4kVTTWGe2E9npAZopqm5XV9oYQEt8Bsosw58g9bQNvEadOh2dFTcNt%2BI%2Fy2XZA%2FHUEJY0d4L6lnIHRDqdRxm1kOl4ks1PSfTO19DQo5NyMVjz8BTYLfvmhLfl9GDym16A8crBQ1D1VE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab1d8f4a9573a76-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 23:48:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originPermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Frame-Options: SAMEORIGINCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SyR1AlqcYxw7uyzksQg5UtG7iJb4f4emxLLsLlSLRiMWbBfYV%2Bu2B8vPYnqxIuXMB9ny9G7R%2B85AUSsdbI70blquNabdjwuHt%2FDcybIbrImOK9qgZM9X8hnsVJv%2F4uXU%2FeC0yITJVeEFWx60wskaTI9hOP8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab1d925adc9bc04-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Source: chromecache_167.8.dr	String found in binary or memory: https://cct.google/taggy/agent.js
Source: chromecache_177.8.dr	String found in binary or memory: https://cobiro.com/domains
Source: chromecache_177.8.dr	String found in binary or memory: https://cobiro.com/google-search/
Source: chromecache_177.8.dr	String found in binary or memory: https://cobiro.com/website
Source: chromecache_177.8.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Poppins&display=swap
Source: chromecache_177.8.dr	String found in binary or memory: https://fonts.gstatic.com
Source: chromecache_181.8.dr	String found in binary or memory: https://getbootstrap.com/)
Source: chromecache_181.8.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_181.8.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_167.8.dr	String found in binary or memory: https://googleads.g.doubleclick.net
Source: chromecache_160.8.dr	String found in binary or memory: https://hh0mtbdj9f64031a8f7f879.sigadi.ru/
Source: chromecache_160.8.dr	String found in binary or memory: https://media.cobiro.com/assets/css/reset.css
Source: chromecache_177.8.dr	String found in binary or memory: https://media.cobiro.com/error-page/favicon.ico
Source: chromecache_177.8.dr	String found in binary or memory: https://media.cobiro.com/error-page/icon-advertising.svg
Source: chromecache_177.8.dr	String found in binary or memory: https://media.cobiro.com/error-page/icon-build.svg
Source: chromecache_177.8.dr	String found in binary or memory: https://media.cobiro.com/error-page/icon-domain.svg
Source: chromecache_177.8.dr	String found in binary or memory: https://media.cobiro.com/error-page/logo-cobiro.svg
Source: chromecache_177.8.dr	String found in binary or memory: https://media.cobiro.com/error-page/under-construction-background.jpeg
Source: chromecache_160.8.dr	String found in binary or memory: https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=1080px
Source: chromecache_160.8.dr	String found in binary or memory: https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=1920px
Source: chromecache_160.8.dr	String found in binary or memory: https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=200px
Source: chromecache_160.8.dr	String found in binary or memory: https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=2560px
Source: chromecache_160.8.dr	String found in binary or memory: https://media.cobiro.com/images/a5be6e77-9b87-48de-9e9f-f705ebb37c11.webp?width=400px
Source: chromecache_167.8.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: chromecache_167.8.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect
Source: chromecache_167.8.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect?v=2&
Source: chromecache_167.8.dr	String found in binary or memory: https://td.doubleclick.net
Source: chromecache_171.8.dr	String found in binary or memory: https://www.cloudflare.com/en-gb/products/turnstile/?utm_source=turnstile&utm_campaign=widget
Source: chromecache_171.8.dr	String found in binary or memory: https://www.cloudflare.com/privacypolicy/
Source: chromecache_171.8.dr	String found in binary or memory: https://www.cloudflare.com/website-terms/
Source: chromecache_167.8.dr	String found in binary or memory: https://www.googletagmanager.com/a?id=
Source: chromecache_160.8.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-8BJ6XM5Y1V
Source: chromecache_167.8.dr	String found in binary or memory: https://www.merchant-center-analytics.goog/mc/collect
Source: chromecache_167.8.dr	String found in binary or memory: https://www.youtube.com/iframe_api

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 82 x 29, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.035372245524405
Encrypted:	false
SSDEEP:	3:yionv//thPlPit/WChkxl/k4E08up:6v/lhPgt+ik7Tp
MD5:	6F531C8286B9F7502BDB778E79378485
SHA1:	FF12229BCBBA5858783B4FA0BB9EA4434F1D0EBA
SHA-256:	582473B3892C5B5102EC0B6AF0C3A37E899EFFFE7A943E2BE7D172CD2B209893
SHA-512:	B7C1972F1FEB0BE1BC26132D29C1ED594095E235A6C6EB0F43FD5047B0FEF43CC6880CD4B0F3552FCEC84DDCF8AF4354D729D9F7DF947FBDE4341532EEB69046
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...R..........@.u....IDAT.....$.....IEND.B`.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 00:48:35.012797117 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.012872934 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.013031960 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.013524055 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.013633966 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.013741970 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.016875029 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.016935110 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.017119884 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.017164946 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.099744081 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.104887962 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.104940891 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.105083942 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.109904051 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.109927893 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.110186100 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.110203028 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.118021011 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.118143082 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.167438030 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.183916092 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.183962107 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.186589003 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.186711073 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.227288008 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.251813889 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.251856089 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.252871990 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.253005981 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.254303932 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.254414082 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.438146114 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.438241959 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.438599110 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.439374924 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.439420938 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.442270994 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.442327976 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.442687988 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.442704916 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.442717075 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.443058014 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.443110943 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.443144083 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.443208933 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.443224907 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.473578930 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.473674059 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.473712921 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.473903894 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.473997116 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.477360010 CET	49730	443	192.168.2.3	172.217.18.14
Mar 21, 2023 00:48:35.477385044 CET	443	49730	172.217.18.14	192.168.2.3
Mar 21, 2023 00:48:35.479713917 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.483962059 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.521781921 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.522191048 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.522358894 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.531114101 CET	49728	443	192.168.2.3	142.250.186.45
Mar 21, 2023 00:48:35.531157970 CET	443	49728	142.250.186.45	192.168.2.3
Mar 21, 2023 00:48:35.632930040 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.633105040 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.633220911 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.633276939 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.633502007 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.633599997 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.663562059 CET	49727	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.663611889 CET	443	49727	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.799981117 CET	49732	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.800062895 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.800163984 CET	49732	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.800726891 CET	49732	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.800770998 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.801498890 CET	49733	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.801546097 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.801620960 CET	49733	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.802099943 CET	49733	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.802124977 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.895123959 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.895461082 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.895850897 CET	49733	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.895881891 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.896302938 CET	49732	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.896327019 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.896374941 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.896831036 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.896935940 CET	49733	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.896955013 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.897039890 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.897130013 CET	49733	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.897145987 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.897612095 CET	49732	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.897639036 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.897730112 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.897809029 CET	49732	443	192.168.2.3	104.21.54.42
Mar 21, 2023 00:48:35.897830009 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.957732916 CET	443	49733	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.958077908 CET	443	49732	104.21.54.42	192.168.2.3
Mar 21, 2023 00:48:35.958081007 CET	443	49733	104.21.54.42	192.168.2.3

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 00:48:34.876620054 CET	64952	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:34.880213976 CET	60276	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:34.897603035 CET	53	60276	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:34.931018114 CET	61561	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:34.936625004 CET	53	64952	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:34.948311090 CET	53	61561	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:35.805622101 CET	61061	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:35.997044086 CET	53	61061	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:38.209599972 CET	58651	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:38.227135897 CET	53	58651	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:38.579010963 CET	55315	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:38.596184969 CET	53	55315	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:38.599730968 CET	60302	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:38.617264986 CET	53	60302	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:40.942291975 CET	61319	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:41.105820894 CET	53	61319	1.1.1.1	192.168.2.3
Mar 21, 2023 00:48:41.746867895 CET	58701	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:48:41.764127016 CET	53	58701	1.1.1.1	192.168.2.3
Mar 21, 2023 00:49:38.420774937 CET	61268	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:49:38.437860012 CET	53	61268	1.1.1.1	192.168.2.3
Mar 21, 2023 00:49:38.628453970 CET	56207	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:49:38.645782948 CET	53	56207	1.1.1.1	192.168.2.3
Mar 21, 2023 00:49:38.650476933 CET	62881	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:49:38.667960882 CET	53	62881	1.1.1.1	192.168.2.3
Mar 21, 2023 00:50:38.687180042 CET	51640	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:50:38.704298973 CET	53	51640	1.1.1.1	192.168.2.3
Mar 21, 2023 00:50:38.706758022 CET	53446	53	192.168.2.3	1.1.1.1
Mar 21, 2023 00:50:38.723736048 CET	53	53446	1.1.1.1	192.168.2.3

Target ID:	0
Start time:	00:48:29
Start date:	21/03/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail
Imagebase:	0x7ff6d3760000
File size:	41778000 bytes
MD5 hash:	CA3FDE8329DE07C95897DB0D828545CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	7
Start time:	00:48:30
Start date:	21/03/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://271439.cobirosite.com/
Imagebase:	0x7ff70f0c0000
File size:	2852640 bytes
MD5 hash:	7BC7B4AEDC055BB02BCB52710132E9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	8
Start time:	00:48:32
Start date:	21/03/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1784,i,8265395457072351684,11967616966742476966,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff70f0c0000
File size:	2852640 bytes
MD5 hash:	7BC7B4AEDC055BB02BCB52710132E9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://271439.cobirosite.com/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230321T0048140271-3132.etl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 158

Chrome Cache Entry: 159

Chrome Cache Entry: 160

Chrome Cache Entry: 161

Chrome Cache Entry: 162

Chrome Cache Entry: 163

Chrome Cache Entry: 164

Chrome Cache Entry: 165

Chrome Cache Entry: 166

Chrome Cache Entry: 167

Chrome Cache Entry: 168

Chrome Cache Entry: 169

Chrome Cache Entry: 170

Chrome Cache Entry: 171

Chrome Cache Entry: 172

Chrome Cache Entry: 173

Chrome Cache Entry: 174

Chrome Cache Entry: 175

Windows Analysis Report
https://271439.cobirosite.com/