Edit tour

Windows Analysis Report
ACH payment confirmation careersindia@securview.com .HTML

Overview

General Information

Sample Name:	ACH payment confirmation careersindia@securview.com .HTML
Analysis ID:	1307021
MD5:	7868e50fb7f75480cc4880f31434e417
SHA1:	c41238567442006ea2b821c569b8c17d2d8a0aab
SHA256:	b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d
Infos:

Detection

HTMLPhisher

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Detected javascript redirector / loader

HTML file submission containing password form

Suspicious Javascript code found in HTML file

HTML document with suspicious title

Phishing site detected (based on logo match)

HTML Script injector detected

HTML document with suspicious name

Phishing site detected (based on image similarity)

None HTTPS page querying sensitive user data (password, username or email)

Stores files to the Windows start menu directory

HTML body contains password input but no form action

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5844 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ACH payment confirmation careersindia@securview.com .HTML MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 6164 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1860,i,10221190459973097732,13979483278592795457,262144 /prefetch:8 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g

Source: unknown

DNS traffic detected: queries for: www.w3schools.com

Source: global traffic	HTTP traffic detected: GET /ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /smarty/xls_v1.6/tail-spin.svg HTTP/1.1Host: kasumbo.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /w3css/4/w3.css HTTP/1.1Host: www.w3schools.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /smarty/xls_v1.6/msoxcel_.svg HTTP/1.1Host: kasumbo.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /smarty/xls_v1.6/tail-spin.svg HTTP/1.1Host: kasumbo.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /smarty/xls_v1.6/msoxcel_.svg HTTP/1.1Host: kasumbo.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /smarty/xls_v1.6/tail-spin.svg HTTP/1.1Host: kasumbo.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /smarty/xls_v1.6/msoxcel_.svg HTTP/1.1Host: kasumbo.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

System Summary

HTML document with suspicious name

Source: Name includes: ACH payment confirmation careersindia@securview.com .HTML

Initial sample: payment

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ACH payment confirmation careersindia@securview.com .HTML
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1860,i,10221190459973097732,13979483278592795457,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1860,i,10221190459973097732,13979483278592795457,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_BITS_5844_1873454240

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: classification engine

Classification label: mal96.phis.winHTML@31/31@18/9

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_5844_1873454240	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_dummy_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_for_eh_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_pnacl_json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libgcc_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libcrt_platform_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_crtend_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_5844_885381781	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\LICENSE.txt

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/ACH%20payment%20confirmation%20careersindia@securview.com%20.HTML

HTTP Parser: file:///C:/Users/user/Desktop/ACH%20payment%20confirmation%20careersindia@securview.com%20.HTML

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	0%	ReversingLabs
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	0%	ReversingLabs
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
cs1100.wpc.omegacdn.net	0%	Virustotal	Browse
kasumbo.com	7%	Virustotal	Browse
aadcdn.msftauth.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://kasumbo.com/smarty/xls_v1.6/msoxcel_.svg	0%	Avira URL Cloud	safe
https://kasumbo.com/smarty/xls_v1.6/tail-spin.svg	100%	Avira URL Cloud	malware
https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cs1100.wpc.omegacdn.net	152.199.4.44	true	false	0%, Virustotal, Browse	unknown
kasumbo.com	174.127.104.94	true	false	7%, Virustotal, Browse	unknown
accounts.google.com	142.251.40.205	true	false		high
cdnjs.cloudflare.com	104.17.24.14	true	false		high
cs837.wac.edgecastcdn.net	192.229.173.207	true	false		high
www.google.com	142.250.72.100	true	false		high
clients.l.google.com	142.251.41.14	true	false		high
clients2.google.com	unknown	unknown	false		high
aadcdn.msftauth.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.w3schools.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/ACH%20payment%20confirmation%20careersindia@securview.com%20.HTML	false		low
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://www.w3schools.com/w3css/4/w3.css	false		high
https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg	false	Avira URL Cloud: safe	unknown
https://kasumbo.com/smarty/xls_v1.6/tail-spin.svg	false	Avira URL Cloud: malware	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://kasumbo.com/smarty/xls_v1.6/msoxcel_.svg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://fontawesome.io	chromecache_256.1.dr	false	high
https://chromium.googlesource.com/a/native_client/pnacl-llvm.git	pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	false	high
http://www.zend.com/products/zend_optimizer	chromecache_258.1.dr, chromecache_257.1.dr	false	high
https://easylist.to/)	LICENSE.txt.0.dr	false	high
http://www.zend.com/products/zend_engine	chromecache_258.1.dr, chromecache_257.1.dr	false	high
http://www.zend.com/store/products/zend-safeguard-suite.php	chromecache_258.1.dr, chromecache_257.1.dr	false	high
http://llvm.org/):	pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr	false	high
https://creativecommons.org/compatiblelicenses	LICENSE.txt.0.dr	false	high
http://fontawesome.io/license	chromecache_256.1.dr	false	high
http://www.zend.com	chromecache_257.1.dr	false	high
https://github.com/easylist)	LICENSE.txt.0.dr	false	high
https://creativecommons.org/.	LICENSE.txt.0.dr	false	high
https://code.google.com/p/nativeclient/issues/entry%s:	pnacl_public_x86_64_ld_nexe.0.dr	false	high
https://code.google.com/p/nativeclient/issues/entry	pnacl_public_x86_64_ld_nexe.0.dr	false	high
http://www.zend.com/images/store/safeguard_optimizer_img.gif	chromecache_258.1.dr, chromecache_257.1.dr	false	high
https://chromium.googlesource.com/a/native_client/pnacl-clang.git	pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	false	high
http://www.zend.com/products/zend_guard	chromecache_258.1.dr, chromecache_257.1.dr	false	high
https://clients2.google.com/service/update2/crx	manifest.json.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
174.127.104.94	kasumbo.com	United States	29854	WESTHOSTUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
152.199.4.44	cs1100.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
142.251.40.205	accounts.google.com	United States	15169	GOOGLEUS	false
142.251.41.14	clients.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
192.229.173.207	cs837.wac.edgecastcdn.net	United States	15133	EDGECASTUS	false
142.250.72.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1307021
Start date and time:	2023-09-11 06:35:25 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ACH payment confirmation careersindia@securview.com .HTML
Detection:	MAL
Classification:	mal96.phis.winHTML@31/31@18/9
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .HTML

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 142.250.80.35, 34.104.35.123, 142.250.64.106, 142.250.72.106, 142.250.80.42, 142.250.80.74, 142.250.80.106, 142.250.176.202, 142.251.40.202, 142.251.40.234, 172.217.165.138, 142.250.65.170, 142.250.65.202, 142.250.65.234, 142.250.81.234, 142.251.41.10, 142.251.32.106, 142.251.35.170, 142.251.40.99
Excluded domains from analysis (whitelisted): www.bing.com, kv601.prod.do.dsp.mp.microsoft.com, geover.prod.do.dsp.mp.microsoft.com, fs.microsoft.com, edgedl.me.gvt1.com, geo.prod.do.dsp.mp.microsoft.com, update.googleapis.com, tse1.mm.bing.net, clientservices.googleapis.com, displaycatalog.mp.microsoft.com, arc.msn.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
174.127.104.94	ACH_payment_confirmation_victimname@uni-sopron.hu_.HTML.html	Get hash	malicious	HTMLPhisher	Browse
	New voicemail.html	Get hash	malicious	HTMLPhisher	Browse
	ACH_payment_confirmation_vijay@panaceainfosec.com_.HTML.html	Get hash	malicious	HTMLPhisher	Browse
	ACH payment confirmation webmaster@automationanywhere.com .HTML	Get hash	malicious	HTMLPhisher	Browse
	ACH payment confirmation webmaster@automationanywhere.com .HTML	Get hash	malicious	HTMLPhisher	Browse
	ACH payment confirmation sales@mackietransportation.com .HTML	Get hash	malicious	HTMLPhisher	Browse
	ACH payment confirmation sales@mackietransportation.com .HTML	Get hash	malicious	HTMLPhisher	Browse
	Remittance Advise Bie.html	Get hash	malicious	HTMLPhisher	Browse
	Remittance Advise Gamko.html	Get hash	malicious	HTMLPhisher	Browse
	Remittance Advise Ttmi.html	Get hash	malicious	HTMLPhisher	Browse
	Ed Payment Remittance Attachment.shtml	Get hash	malicious	Unknown	Browse
104.17.24.14	http://vtaurl.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/webfonts/fa-brands-400.woff2
104.17.24.14	http://Voyages.CNTraveler.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cs1100.wpc.omegacdn.net	https://www.baidu.com/link?url=1YGJBH419YJ7Shf5e6ohRUS-7vRJNV1dr29Obq7fZWDd8MTAPcEwjr_0TJIciDLj&wd#ZGV2Z3Vuc0BzY2huZWlkZXIuY29t	Get hash	malicious	Unknown	Browse	152.199.4.44
	https://cn.bing.com/ck/a?!&&p=fe28eb1f257c8255JmltdHM9MTY5NDEzMTIwMCZpZ3VpZD0zZjEwYjY3OC1lZjY2LTYxZTItMzRhMC1hNTE2ZWVjYzYwMWYmaW5zaWQ9NTIzNQ&ptn=3&hsh=3&fclid=3f10b678-ef66-61e2-34a0-a516eecc601f&u=a1aHR0cHM6Ly93d3cuc21hcnRhbGljZXdlYmRlc2lnbi5jb20vYmxvZy5odG1s#a2V2aW4uc2NvdHRAYWdzaGVhbHRoLmNvbQ==	Get hash	malicious	Unknown	Browse	152.199.4.44
	https://baidu.com/link?url=AF7OczEnNwabQv89jL1GyxWci77XbboVOtpcSmRt27C#a2FyZW4udGhvbWFzQHNrZi5jb20=	Get hash	malicious	Unknown	Browse	152.199.4.44
	https://baidu.com/link?url=AF7OczEnNwabQv89jL1GyxWci77XbboVOtpcSmRt27C#a2FyZW4udGhvbWFzQHNrZi5jb20=	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://cn.bing.com/ck/a?!&&p=3689346c5d82f15fJmltdHM9MTY5NDEzMTIwMCZpZ3VpZD0zZjEwYjY3OC1lZjY2LTYxZTItMzRhMC1hNTE2ZWVjYzYwMWYmaW5zaWQ9NTE1MA&ptn=3&hsh=3&fclid=3f10b678-ef66-61e2-34a0-a516eecc601f&u=a1aHR0cHM6Ly9qYXltb29yZXN0dWRpby5jb20v#c2NvdHQubWNjdWxsb3VnaEBzYmFmbGEuY29t	Get hash	malicious	Unknown	Browse	152.199.4.44
	https://cn.bing.com/ck/a?!&&p=3689346c5d82f15fJmltdHM9MTY5NDEzMTIwMCZpZ3VpZD0zZjEwYjY3OC1lZjY2LTYxZTItMzRhMC1hNTE2ZWVjYzYwMWYmaW5zaWQ9NTE1MA&ptn=3&hsh=3&fclid=3f10b678-ef66-61e2-34a0-a516eecc601f&u=a1aHR0cHM6Ly9qYXltb29yZXN0dWRpby5jb20v#c3ViaGFzaXMuZGFzQHNiYWZsYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://cn.bing.com/ck/a?!&&p=3689346c5d82f15fJmltdHM9MTY5NDEzMTIwMCZpZ3VpZD0zZjEwYjY3OC1lZjY2LTYxZTItMzRhMC1hNTE2ZWVjYzYwMWYmaW5zaWQ9NTE1MA&ptn=3&hsh=3&fclid=3f10b678-ef66-61e2-34a0-a516eecc601f&u=a1aHR0cHM6Ly9qYXltb29yZXN0dWRpby5jb20v#YWRlcmlja0BkZXJpY2tkZXJtYXRvbG9neS5jb20=	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	http://www.baidu.com/link?url=fJVZtU28aw46q1u-KDv27_16ATCkgEFeh5NVb-N3AmXnZbdQzNkXbLiyHkzGWrTV#kari-matti.lehti@hpp.fi	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	http://www.baidu.com/link?url=fJVZtU28aw46q1u-KDv27_16ATCkgEFeh5NVb-N3AmXnZbdQzNkXbLiyHkzGWrTV#kari-matti.lehti@hpp.fi	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://www.baidu.com/link?url=f6FMrMglJP9GtgGCU-juESG8Yi_HzIQEYisCTTyK7lIElSbtvCWycM4oguUthET3Y9LMuZcuVgDuMNfezutD9LmpvwQ9EAENYbLzMId26wm&wd#bWlja2V5Lm1vdXNlQGRpc25leS5jb20=	Get hash	malicious	Unknown	Browse	152.199.4.44
	http://www.baidu.com/link?url=PEFHK_x-4T3uu8V9n7l3aeR6553I0Hy_QUSFoYVk9l_uYL5cMiNAGEkU7U-Qreza#bWlja2V5Lm1vdXNlQGRpc25leS5jb20=	Get hash	malicious	Unknown	Browse	152.199.4.44
	https://get.hidrive.com/api/8ERfoS48/file/Lr7iFS5V9KKZi7ifQb5rZy	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	PYMNT0000054843_3-CHK1_35100987.htm	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://www.baidu.com/link?url=EIJ_9DbhWTUelRfNzwHCwJrevXV18vp1eaX5h2lxvuKjVzVlh69a6qGRwWiHfACD#bWF0dGhldy5kYXZpc0BtYnUuZWR1	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://www.baidu.com/link?url=EIJ_9DbhWTUelRfNzwHCwJrevXV18vp1eaX5h2lxvuKjVzVlh69a6qGRwWiHfACD#bWF0dGhldy5kYXZpc0BtYnUuZWR1	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	http://www.baidu.com/link?url=KFVsTlaKdohYGfFW8pp7jmVFFoTtqZb_6ySCm_fZTFQr9AX1dSPJWIR7sVMAnSDi#d2lzbWVkY3VAd2lzbWVkY3Uub3Jn&d=DwMGaQ	Get hash	malicious	Unknown	Browse	152.199.4.44
	https://r20.rs6.net/tn.jsp?f=0010Hb9AtHzYDDTbKv8idad1HYXJm9TnI69yRRh_yJlYMyZqen7V2vw5Vew71_EUAszCpmRzmytac9Ny5WpMEK6M9a3fX5MNJtBTQe8Q6Vhy7u7D8FNwX1lel_pbBS2--vWg9t9KpRjY1YokhVGY37JuYTh4vA2v42B&c=I1qlIb0kBtQc8SViF-8_1iefUYHYViQBmB43ZK4LvlLg7lOz0iFFFA==&ch=Ow7_Sk1o_uHMhxNIEokjegODrBrGZBxx36TIKMZJaYQ8E62tWrYtGA==&__=c2x1a2Fjc0B3eW53YXJkLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	http://www.baidu.com/link?url=UoOQDYLwlqkXmaXOTPH-yzlABydiidFYSYneujIBjalSn36BarPC6DuCgIN34REP#ap@thejamesbrand.com	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://app.smartsheet.com/b/form/960e73b6005048b49409c3f669908228	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://app.smartsheet.com/b/form/960e73b6005048b49409c3f669908228	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
kasumbo.com	ACH_payment_confirmation_victimname@uni-sopron.hu_.HTML.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	New voicemail.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH_payment_confirmation_vijay@panaceainfosec.com_.HTML.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation webmaster@automationanywhere.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation webmaster@automationanywhere.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation sales@mackietransportation.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation sales@mackietransportation.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation sales@tsitouch.com .HTML	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	ACH payment confirmation support@healthesystems.com .HTML	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	ACH payment confirmation rdownes@farbestfoods.com .HTML	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	ACH payment confirmation rdownes@farbestfoods.com .HTML	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	ACH payment confirmation drbergman@chirokinetics.com .HTML	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	Electronic_Payment_Advice.html	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	nope.html	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	_EXTERNAL_ ESA Quarantined - Japan HTML attachment.msg	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	Electronic_Payment_Advice.html	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	Electronic_Payment_Advice.html	Get hash	malicious	HTMLPhisher	Browse	35.186.223.180
	Remittance Advise Bie.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	Remittance Advise Gamko.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	Remittance Advise Ttmi.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WESTHOSTUS	ACH_payment_confirmation_victimname@uni-sopron.hu_.HTML.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	New voicemail.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH_payment_confirmation_vijay@panaceainfosec.com_.HTML.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation webmaster@automationanywhere.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation webmaster@automationanywhere.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation sales@mackietransportation.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	ACH payment confirmation sales@mackietransportation.com .HTML	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	50.115.127.11
	Remittance Advise Bie.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	yeU7M1JkCW.elf	Get hash	malicious	Moobot	Browse	107.180.207.4
	Remittance Advise Gamko.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	Remittance Advise Ttmi.html	Get hash	malicious	HTMLPhisher	Browse	174.127.104.94
	Ti3Rp595Oe.elf	Get hash	malicious	Mirai	Browse	206.190.180.121
	3CPSrkxnd9.elf	Get hash	malicious	Mirai	Browse	107.180.207.9
	RKv4qulgOvL2Bc.js	Get hash	malicious	Unknown	Browse	206.190.139.69
	Ed Payment Remittance Attachment.shtml	Get hash	malicious	Unknown	Browse	174.127.104.94
	rJustificante_operacionpdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	206.130.99.140
	Official_Signed_P.O_no._MGE-WJO_9006220,_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	206.130.99.140
	Official Signed P.O no. MGE-WJO 9006220, pdf.img	Get hash	malicious	FormBook, GuLoader	Browse	206.130.99.140
	o38ZHLRw1D.elf	Get hash	malicious	Mirai	Browse	206.130.116.177
CLOUDFLARENETUS	https://geupdate-service.bond/img/3344379399.png	Get hash	malicious	Unknown	Browse	1.1.1.1
	Juo81sSETI.exe	Get hash	malicious	DCRat	Browse	104.21.75.68
	http://safe.bulbakalimbul.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	VXUQtkhNK6.exe	Get hash	malicious	Amadey, Djvu, RedLine, SmokeLoader	Browse	172.67.181.144
	zr3PL3b9mR.elf	Get hash	malicious	Mirai	Browse	8.6.157.62
	https://www.baidu.com/link?url=1YGJBH419YJ7Shf5e6ohRUS-7vRJNV1dr29Obq7fZWDd8MTAPcEwjr_0TJIciDLj&wd#ZGV2Z3Vuc0BzY2huZWlkZXIuY29t	Get hash	malicious	Unknown	Browse	104.16.123.96
	file.exe	Get hash	malicious	Unknown	Browse	172.67.166.109
	AutoFarm.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	104.16.124.96
	file.exe	Get hash	malicious	Unknown	Browse	172.67.166.109
	AutoFarm.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	104.16.123.96
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.72
	file.exe	Get hash	malicious	Unknown	Browse	104.21.84.95
	file.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RedLine, SmokeLoader	Browse	172.67.181.144
	file.exe	Get hash	malicious	Unknown	Browse	172.67.166.109
	file.exe	Get hash	malicious	Unknown	Browse	104.21.89.251
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.29.36
	SKlauncher-3.1.1.jar	Get hash	malicious	Unknown	Browse	172.67.174.171
	7WsuHrx0ZEN4cHdz6D5p4jPI0ErwTPE1AznDYx9G.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse	172.67.69.226
	7WsuHrx0ZEN4cHdz6D5p4jPI0ErwTPE1AznDYx9G.exe	Get hash	malicious	Discord Token Stealer	Browse	104.16.124.96
	http://email.praxischool.com/ls/click?upn=idG6t1z7WnEGBsXx-2FNRRRfQp2CACaDYtYa8z0AFwR1S5xAYHJiO9dz10GXr0xK3IZIPzBdJVFB3lEvYZ3c8cT4TRMy6TrAqM7tS17XTF2qgx7fzCitXUjcKjIC2OQCJvFatk_SfXildSuyDUJaqETQLjZ90t8osLbhQu3JnA20x9YBMgFsrLlBg3bXVyVydHkmgbnEjM5-2BHc-2BZv8TjWCSo8zWVm323XTeHyggvs9qTADvt5sMLn-2BetfzZ2P3XCNoiVUQXePK3THUrbC-2BKAKzPuOTwbICnWKAXj-2BaWXZQdBqzv6MOMg1Ka1JgWySn0psjqBsBoefp9150239OKFQhd83qYcyCIW0ZIIfvoffoFm8I-2BwHw-3D	Get hash	malicious	Unknown	Browse	104.22.1.204

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	https://get.hidrive.com/api/8ERfoS48/file/Lr7iFS5V9KKZi7ifQb5rZy	Get hash	malicious	HTMLPhisher	Browse
	Quote-VCCU-3[6115].doc	Get hash	malicious	Unknown	Browse
	PYMNT0000054843_3-CHK1_35100987.htm	Get hash	malicious	HTMLPhisher	Browse
	https://pub-b0142b98ee5d4d9b8c0a82a12ac9f0f9.r2.dev/doc.html	Get hash	malicious	Unknown	Browse
	work experience cv- may be changed.html	Get hash	malicious	Unknown	Browse
	Ref3638.htm	Get hash	malicious	Unknown	Browse
	Remittance76_PO_876543.htm	Get hash	malicious	Unknown	Browse
	ACH_payment_confirmation_victimname@uni-sopron.hu_.HTML.html	Get hash	malicious	HTMLPhisher	Browse
	ATT00001.htm	Get hash	malicious	Unknown	Browse
	__SeCURE09349438943980290292892892828939822893982.html	Get hash	malicious	Unknown	Browse
	Tax_invoice.htm	Get hash	malicious	Unknown	Browse
	RECEIPT Condenast-05 September, 2023.htm	Get hash	malicious	Unknown	Browse
	12345.htm	Get hash	malicious	HTMLPhisher	Browse
	http://www.ecorfan.org	Get hash	malicious	Unknown	Browse
	https://pub-4d97631662434b85845e7be2b52b6e61.r2.dev/glennhoulier2023.html#bcagle@wecon.com&c=E,1,-nqvAvm6VhLOMj6i8nfSYcYIuFMHExxuUgyQmIXh2GgtooGBQPdOi6RopYuKhwThxMaln4HSVitLFfbfoUamFio3tjpCdGmfNCqKh578trCoxwc,&typo=1	Get hash	malicious	HTMLPhisher	Browse
	dummy-test.html	Get hash	malicious	Unknown	Browse
	AmericanExpress_SecureMessage_Att.html	Get hash	malicious	HTMLPhisher	Browse
	https://abcexhibitions-my.sharepoint.com/:b:/g/personal/accounts_abcexhibitionsuk_co_uk/EaUYiXFCgrFHu3_8-X0dooQB6DozhFp2auh-o9zR8dpViw?e=MI9LGw	Get hash	malicious	Unknown	Browse
	https://irp.cdn-website.com/6e885bb5/files/uploaded/tedidokited.pdf	Get hash	malicious	Unknown	Browse
	ACH_payment_confirmation_vijay@panaceainfosec.com_.HTML.html	Get hash	malicious	HTMLPhisher	Browse

Source: Joe Sandbox View	IP Address: 174.127.104.94 174.127.104.94
Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: chromecache_256.1.dr	String found in binary or memory: http://fontawesome.io
Source: chromecache_256.1.dr	String found in binary or memory: http://fontawesome.io/license
Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr	String found in binary or memory: http://llvm.org/):
Source: chromecache_257.1.dr	String found in binary or memory: http://www.zend.com
Source: chromecache_258.1.dr, chromecache_257.1.dr	String found in binary or memory: http://www.zend.com/images/store/safeguard_optimizer_img.gif
Source: chromecache_258.1.dr, chromecache_257.1.dr	String found in binary or memory: http://www.zend.com/products/zend_engine
Source: chromecache_258.1.dr, chromecache_257.1.dr	String found in binary or memory: http://www.zend.com/products/zend_guard
Source: chromecache_258.1.dr, chromecache_257.1.dr	String found in binary or memory: http://www.zend.com/products/zend_optimizer
Source: chromecache_258.1.dr, chromecache_257.1.dr	String found in binary or memory: http://www.zend.com/store/products/zend-safeguard-suite.php
Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libpnacl_irt_shim_dummy_a.0.dr	String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: manifest.json.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: pnacl_public_x86_64_ld_nexe.0.dr	String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.0.dr	String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: LICENSE.txt.0.dr	String found in binary or memory: https://easylist.to/)
Source: LICENSE.txt.0.dr	String found in binary or memory: https://github.com/easylist)

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	69553
Entropy (8bit):	5.52691718018853
Encrypted:	false
SSDEEP:	1536:ka8qvNfUcbKG02Sl+XeMKPsNZgAswyO+BOK+IAhxLMBoyZK:lvNMcbn02w+lycgAjz+YKvAhxEoyZK
MD5:	4E79F99222C8AA2B00F8B66CC5E4270B
SHA1:	8DA8A30DE6CF19325B67D50EB778E57ED3ED04C4
SHA-256:	BA0FCB562204929BB9639CE90E91625B49321845EC8940776A53DA4FC093BBA1
SHA-512:	CBE59C405A7B94E561982294029F87D7027F505218AF2E607A08EE35E0D4B53A846019BF7A9F00583C454FE2D4A83993F5C7BB787258180155269746D0ACB3B2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.sdbvveonb1.com^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R..adbutler-..........0.8.@.R.hdbcode.com^.-...........konograma.com..0.8.@.R./adserver..,........0.8.@.R.mysmth.net/nForum//ADAgent_..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.E...........daum.net0.8.@.R)daumcdn.net/adfit/static/ad-native.min.js.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^..........0.8.@.R./banner.cgi?..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.ezojs.com^..........0.8.@.R.clicktripz.com^.Q...........weatherbug.net0.8.@.R/web-ads.pulse.weatherbug.net/api/ads/targeting/.(........*...ads.ae..0.8.@.R./upload/ads/..........0.8.@.R.-ad-manager/.#........0.8.@.R.searchad.naver.com^..........0.8.@.R./page-links-to/dist/new-tab.js........0.8.@.R.files.sla

File type:	HTML document, ASCII text, with very long lines (65490), with CRLF line terminators
Entropy (8bit):	5.79605081123531
TrID:
File name:	ACH payment confirmation careersindia@securview.com .HTML
File size:	117'263 bytes
MD5:	7868e50fb7f75480cc4880f31434e417
SHA1:	c41238567442006ea2b821c569b8c17d2d8a0aab
SHA256:	b96949f50cf1cf7e6abe4c3e1d77902e694b1098a57619e68bfe7afb5aa1c19d
SHA512:	a8a6fc30d8f8f2a4a36e014b260bef45ab02f22e36b648c41378d6fb5d2df7e9b78cb6d71e49096a105b42f1eec62d71c24a858191863ec2eac95b9bb9ce66cf
SSDEEP:	3072:pxAskOAdGLQvID5QYn/sBQJvznMMl4Gh31W/4pN:pxoCQvID5QYn/qQJvr
TLSH:	31B37C7886370C57DA13363AFC0B37DDC2686EE7B4FC296AC05853E53A914C9944A93B
File Content Preview:	..............<script language="javascript">..document.write(unescape('%3C%21DOCTYPE%20html%3E%20%3Chtml%20lang%3D%22en%22%3E%3Chead%3E%20%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%3E%20%0A%3Cmeta%20charse

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 11, 2023 06:36:21.709414959 CEST	60838	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.711723089 CEST	53819	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.712373972 CEST	60316	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.712757111 CEST	51816	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.713160038 CEST	51391	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.713489056 CEST	49785	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.713944912 CEST	63872	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.714318037 CEST	63362	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.714786053 CEST	49817	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.715070009 CEST	62550	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.715476036 CEST	53300	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.715866089 CEST	64803	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:21.811002970 CEST	53	51391	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.811075926 CEST	53	60316	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.811482906 CEST	53	51816	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.812134027 CEST	53	49817	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.812182903 CEST	53	49785	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.812714100 CEST	53	63872	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.812755108 CEST	53	53300	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.812802076 CEST	53	53819	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.813927889 CEST	53	60838	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.814102888 CEST	53	63362	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.816761017 CEST	53	62550	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.818139076 CEST	53	54388	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:21.832947969 CEST	53	64803	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:23.346616030 CEST	53	53653	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:25.536983013 CEST	54863	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:25.538033962 CEST	55398	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:25.579564095 CEST	54432	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:25.584379911 CEST	49985	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:25.586996078 CEST	51273	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:25.587865114 CEST	61330	53	192.168.2.4	8.8.8.8
Sep 11, 2023 06:36:25.628336906 CEST	53	54863	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:25.628935099 CEST	53	55398	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:25.675589085 CEST	53	49985	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:25.676218987 CEST	53	54432	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:25.706171036 CEST	53	61330	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:25.706222057 CEST	53	51273	8.8.8.8	192.168.2.4
Sep 11, 2023 06:36:39.636420965 CEST	53	52618	8.8.8.8	192.168.2.4
Sep 11, 2023 06:37:20.710408926 CEST	53	63094	8.8.8.8	192.168.2.4
Sep 11, 2023 06:38:54.231307983 CEST	53	60557	8.8.8.8	192.168.2.4

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:22 UTC	0	OUT	GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1 Host: aadcdn.msftauth.net Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:22 UTC	3	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Age: 9265460 Cache-Control: public, max-age=31536000 Content-MD5: nzaLxFgP7ZB3dfMcaybWzw== Content-Type: image/svg+xml Date: Mon, 11 Sep 2023 04:36:22 GMT Etag: 0x8DB5C3F495F4B8C Last-Modified: Wed, 24 May 2023 10:11:48 GMT Server: ECAcc (nya/7949) Vary: Accept-Encoding X-Cache: HIT x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: ac5ee99a-d01e-0064-7624-90b7da000000 x-ms-version: 2009-09-19 Content-Length: 3651 Connection: close
2023-09-11 04:36:22 UTC	4	IN	Data Raw: 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 38 22 20 68 65 69 67 68 74 3d 22 32 34 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 38 20 32 34 22 3e 3c 74 69 74 6c 65 3e 61 73 73 65 74 73 3c 2f 74 69 74 6c 65 3e 3c 70 61 74 68 20 64 3d 22 4d 34 34 2e 38 33 36 2c 34 2e 36 56 31 38 2e 34 68 2d 32 2e 34 56 37 2e 35 38 33 48 34 32 2e 34 4c 33 38 2e 31 31 39 2c 31 38 2e 34 48 33 36 2e 35 33 31 4c 33 32 2e 31 34 32 2c 37 2e 35 38 33 68 2d 2e 30 32 39 56 31 38 2e 34 48 32 39 2e 39 56 34 2e 36 68 33 2e 34 33 36 4c 33 37 2e 33 2c 31 34 2e 38 33 68 2e 30 35 38 4c 34 31 2e 35 34 35 2c 34 2e 36 5a 6d 32 2c 31 2e 30 34 39 61 31 2e 32 36 38 2c 31 2e 32 36 38 2c 30 Data Ascii: <svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:26 UTC	76	OUT	GET /smarty/xls_v1.6/tail-spin.svg HTTP/1.1 Host: kasumbo.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:26 UTC	81	IN	HTTP/1.1 200 OK Date: Mon, 11 Sep 2023 04:36:26 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-09-11 04:36:26 UTC	81	IN	Data Raw: 37 66 62 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 73 74 6f 72 65 2f 70 72 6f 64 75 63 74 73 2f 7a 65 6e 64 2d 73 61 66 65 67 75 61 72 64 2d 73 75 69 74 65 2e 70 68 70 22 3e 3c 69 6d 67 20 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 73 74 6f 72 65 2f 73 61 66 65 67 75 61 72 64 5f 6f 70 74 69 6d 69 7a 65 72 5f 69 6d 67 2e 67 69 66 22 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 3e 3c 2f 61 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 5a 65 6e 64 20 4f 70 74 69 6d 69 7a 65 72 20 6e 6f 74 20 69 6e 73 74 61 6c 6c 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 70 3e 54 68 69 73 20 66 69 6c 65 20 Data Ascii: 7fb<html><body><a href="http://www.zend.com/store/products/zend-safeguard-suite.php"><img border="0" src="http://www.zend.com/images/store/safeguard_optimizer_img.gif" align="right"></a><center><h1>Zend Optimizer not installed</h1></center><p>This file
2023-09-11 04:36:26 UTC	83	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:26 UTC	83	OUT	GET /smarty/xls_v1.6/msoxcel_.svg HTTP/1.1 Host: kasumbo.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:26 UTC	83	IN	HTTP/1.1 200 OK Date: Mon, 11 Sep 2023 04:36:26 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-09-11 04:36:26 UTC	83	IN	Data Raw: 37 66 62 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 73 74 6f 72 65 2f 70 72 6f 64 75 63 74 73 2f 7a 65 6e 64 2d 73 61 66 65 67 75 61 72 64 2d 73 75 69 74 65 2e 70 68 70 22 3e 3c 69 6d 67 20 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 73 74 6f 72 65 2f 73 61 66 65 67 75 61 72 64 5f 6f 70 74 69 6d 69 7a 65 72 5f 69 6d 67 2e 67 69 66 22 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 3e 3c 2f 61 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 5a 65 6e 64 20 4f 70 74 69 6d 69 7a 65 72 20 6e 6f 74 20 69 6e 73 74 61 6c 6c 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 70 3e 54 68 69 73 20 66 69 6c 65 20 Data Ascii: 7fb<html><body><a href="http://www.zend.com/store/products/zend-safeguard-suite.php"><img border="0" src="http://www.zend.com/images/store/safeguard_optimizer_img.gif" align="right"></a><center><h1>Zend Optimizer not installed</h1></center><p>This file
2023-09-11 04:36:26 UTC	85	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:22 UTC	1	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-GB&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-115.0.5790.171 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:22 UTC	39	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-Hm4c1IG-I-yTqS8txtXr0Q' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 11 Sep 2023 04:36:22 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6096 X-Daystart: 77782 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-09-11 04:36:22 UTC	40	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 39 36 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 37 37 37 38 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6096" elapsed_seconds="77782"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-09-11 04:36:22 UTC	40	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-09-11 04:36:22 UTC	40	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:22 UTC	2	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: AEC=Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA; CONSENT=PENDING+494; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg; __Secure-ENID=14.SE=FEqwE5eimu_CzO8QanixDxMiVRDl1S74wJwxQG4kibYxHFlarNLstM6_FtN3tkTBDN7NI-PM3BH3uafw_juj7Kua5Sxw58UIqMyDvhq3JStE-0GsITWS9X0QrbjvmkA5MVBf-Eb4RLTTefnPk1F_g7MJo2hXw4TzaSRHE_HtskdpjjbT9g
2023-09-11 04:36:22 UTC	3	OUT	Data Raw: 20 Data Ascii:
2023-09-11 04:36:22 UTC	64	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 11 Sep 2023 04:36:22 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-qVzDZFpzW4aSsULdcP3svg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-09-11 04:36:22 UTC	65	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-09-11 04:36:22 UTC	65	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:22 UTC	3	OUT	GET /w3css/4/w3.css HTTP/1.1 Host: www.w3schools.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:22 UTC	40	IN	HTTP/1.1 200 OK Age: 11922 Cache-Control: public,max-age=14400,public Content-Security-Policy: frame-ancestors 'self' https://mycourses.w3schools.com; Content-Type: text/css Date: Mon, 11 Sep 2023 04:36:22 GMT Etag: "0267aba79e1d91:0+gzip+ident" Last-Modified: Thu, 07 Sep 2023 10:54:52 GMT Server: ECS (nyb/1D2F) Vary: Accept-Encoding X-Cache: HIT X-Content-Security-Policy: frame-ancestors 'self' https://mycourses.w3schools.com; X-Powered-By: ASP.NET Content-Length: 23427 Connection: close
2023-09-11 04:36:22 UTC	41	IN	Data Raw: ef bb bf 2f 2a 20 57 33 2e 43 53 53 20 34 2e 31 35 20 44 65 63 65 6d 62 65 72 20 32 30 32 30 20 62 79 20 4a 61 6e 20 45 67 69 6c 20 61 6e 64 20 42 6f 72 67 65 20 52 65 66 73 6e 65 73 20 2a 2f 0a 68 74 6d 6c 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 7d 2a 2c 2a 3a 62 65 66 6f 72 65 2c 2a 3a 61 66 74 65 72 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 69 6e 68 65 72 69 74 7d 0a 2f 2a 20 45 78 74 72 61 63 74 20 66 72 6f 6d 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 62 79 20 4e 69 63 6f 6c 61 73 20 47 61 6c 6c 61 67 68 65 72 20 61 6e 64 20 4a 6f 6e 61 74 68 61 6e 20 4e 65 61 6c 20 67 69 74 2e 69 6f 2f 6e 6f 72 6d 61 6c 69 7a 65 20 2a 2f 0a 68 74 6d 6c 7b 2d 6d 73 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 77 65 62 Data Ascii: /* W3.CSS 4.15 December 2020 by Jan Egil and Borge Refsnes /html{box-sizing:border-box},:before,:after{box-sizing:inherit}/* Extract from normalize.css by Nicolas Gallagher and Jonathan Neal git.io/normalize */html{-ms-text-size-adjust:100%;-web
2023-09-11 04:36:22 UTC	57	IN	Data Raw: 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 62 63 64 34 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 2e 77 33 2d 62 6c 75 65 2d 67 72 65 79 2c 2e 77 33 2d 68 6f 76 65 72 2d 62 6c 75 65 2d 67 72 65 79 3a 68 6f 76 65 72 2c 2e 77 33 2d 62 6c 75 65 2d 67 72 61 79 2c 2e 77 33 2d 68 6f 76 65 72 2d 62 6c 75 65 2d 67 72 61 79 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 36 30 37 64 38 62 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 2e 77 33 2d 67 72 65 65 6e 2c 2e 77 33 2d 68 6f 76 65 72 2d 67 72 65 65 6e 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 Data Ascii: !important;background-color:#00bcd4!important}.w3-blue-grey,.w3-hover-blue-grey:hover,.w3-blue-gray,.w3-hover-blue-gray:hover{color:#fff!important;background-color:#607d8b!important}.w3-green,.w3-hover-green:hover{color:#fff!important;background-color:#

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:23 UTC	67	OUT	GET /smarty/xls_v1.6/msoxcel_.svg HTTP/1.1 Host: kasumbo.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:23 UTC	68	IN	HTTP/1.1 200 OK Date: Mon, 11 Sep 2023 04:36:23 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-09-11 04:36:23 UTC	68	IN	Data Raw: 37 66 62 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 73 74 6f 72 65 2f 70 72 6f 64 75 63 74 73 2f 7a 65 6e 64 2d 73 61 66 65 67 75 61 72 64 2d 73 75 69 74 65 2e 70 68 70 22 3e 3c 69 6d 67 20 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 73 74 6f 72 65 2f 73 61 66 65 67 75 61 72 64 5f 6f 70 74 69 6d 69 7a 65 72 5f 69 6d 67 2e 67 69 66 22 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 3e 3c 2f 61 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 5a 65 6e 64 20 4f 70 74 69 6d 69 7a 65 72 20 6e 6f 74 20 69 6e 73 74 61 6c 6c 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 70 3e 54 68 69 73 20 66 69 6c 65 20 Data Ascii: 7fb<html><body><a href="http://www.zend.com/store/products/zend-safeguard-suite.php"><img border="0" src="http://www.zend.com/images/store/safeguard_optimizer_img.gif" align="right"></a><center><h1>Zend Optimizer not installed</h1></center><p>This file

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:24 UTC	70	OUT	GET /smarty/xls_v1.6/tail-spin.svg HTTP/1.1 Host: kasumbo.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:24 UTC	71	IN	HTTP/1.1 200 OK Date: Mon, 11 Sep 2023 04:36:24 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-09-11 04:36:24 UTC	71	IN	Data Raw: 37 66 62 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 73 74 6f 72 65 2f 70 72 6f 64 75 63 74 73 2f 7a 65 6e 64 2d 73 61 66 65 67 75 61 72 64 2d 73 75 69 74 65 2e 70 68 70 22 3e 3c 69 6d 67 20 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 73 74 6f 72 65 2f 73 61 66 65 67 75 61 72 64 5f 6f 70 74 69 6d 69 7a 65 72 5f 69 6d 67 2e 67 69 66 22 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 3e 3c 2f 61 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 5a 65 6e 64 20 4f 70 74 69 6d 69 7a 65 72 20 6e 6f 74 20 69 6e 73 74 61 6c 6c 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 70 3e 54 68 69 73 20 66 69 6c 65 20 Data Ascii: 7fb<html><body><a href="http://www.zend.com/store/products/zend-safeguard-suite.php"><img border="0" src="http://www.zend.com/images/store/safeguard_optimizer_img.gif" align="right"></a><center><h1>Zend Optimizer not installed</h1></center><p>This file
2023-09-11 04:36:24 UTC	73	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-09-11 04:36:25 UTC	73	OUT	GET /smarty/xls_v1.6/msoxcel_.svg HTTP/1.1 Host: kasumbo.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
2023-09-11 04:36:25 UTC	73	IN	HTTP/1.1 200 OK Date: Mon, 11 Sep 2023 04:36:25 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2023-09-11 04:36:25 UTC	74	IN	Data Raw: 37 66 62 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 73 74 6f 72 65 2f 70 72 6f 64 75 63 74 73 2f 7a 65 6e 64 2d 73 61 66 65 67 75 61 72 64 2d 73 75 69 74 65 2e 70 68 70 22 3e 3c 69 6d 67 20 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 65 6e 64 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 73 74 6f 72 65 2f 73 61 66 65 67 75 61 72 64 5f 6f 70 74 69 6d 69 7a 65 72 5f 69 6d 67 2e 67 69 66 22 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 3e 3c 2f 61 3e 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 5a 65 6e 64 20 4f 70 74 69 6d 69 7a 65 72 20 6e 6f 74 20 69 6e 73 74 61 6c 6c 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 3c 70 3e 54 68 69 73 20 66 69 6c 65 20 Data Ascii: 7fb<html><body><a href="http://www.zend.com/store/products/zend-safeguard-suite.php"><img border="0" src="http://www.zend.com/images/store/safeguard_optimizer_img.gif" align="right"></a><center><h1>Zend Optimizer not installed</h1></center><p>This file
2023-09-11 04:36:25 UTC	76	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:36:18
Start date:	11/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\ACH payment confirmation careersindia@securview.com .HTML
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	1
Start time:	06:36:19
Start date:	11/09/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1860,i,10221190459973097732,13979483278592795457,262144 /prefetch:8
Imagebase:	0x7ff7c94b0000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ACH payment confirmation careersindia@securview.com .HTML

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\Filtering Rules

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\LICENSE.txt

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\_metadata\verified_contents.json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\manifest.fingerprint

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1498812047\manifest.json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_metadata\verified_contents.json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_pnacl_json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_for_eh_o

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_o

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_crtend_o

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libcrt_platform_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libgcc_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_dummy_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\manifest.fingerprint

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5844_1598255430\manifest.json

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Windows Analysis Report
ACH payment confirmation careersindia@securview.com .HTML

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre