Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

Overview

General Information

Sample URL:	http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com
Analysis ID:	1590851

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Form action URLs do not match main URL

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Stores files to the Windows start menu directory

Suspicious form URL found

URL contains potential PII (phishing indication)

Classification

×

Process Tree

System is w10x64_ra

chrome.exe (PID: 4792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 2296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1784,i,2121388880603331754,1539219781934230349,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected HtmlPhish10

Source: Yara match

File source: 1.0.pages.csv, type: HTML

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: Form action: https://fcguae.com/login.php com fcguae

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: Number of links: 0

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="359pt" height="320" viewBox="0 0 359 240"><defs><clipPath id="a"><path d="M123 0h235.37v240H123zm0 0"/></clipPath></defs><path d="M89.69 59.102h67.802l-10.5 40.2c-1.605 5.6-4.605 10.1-9 13.5-4.402 3.4-9.504 5...

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: Title: Webmail Login does not match URL

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: Form action: https://fcguae.com/login.php

Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com
Source: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	Sample URL: PII: communication@treezor.com

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: <input type="password" .../> found

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: No <meta name="author".. found

Source: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.17:49738 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 27MB

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13

Source: global traffic	DNS traffic detected: DNS query: quality.harman.com.sa
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.17:49738 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.win@18/11@10/119

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1784,i,2121388880603331754,1539219781934230349,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=1784,i,2121388880603331754,1539219781934230349,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
quality.harman.com.sa	66.7.221.153	true	false		unknown
www.google.com	142.250.185.132	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.67	unknown	United States		15169	GOOGLEUS	false
1.1.1.1	unknown	Australia		13335	CLOUDFLARENETUS	false
142.250.74.206	unknown	United States		15169	GOOGLEUS	false
172.217.18.14	unknown	United States		15169	GOOGLEUS	false
216.58.206.67	unknown	United States		15169	GOOGLEUS	false
66.7.221.153	quality.harman.com.sa	United States		33182	DIMENOCUS	false
142.250.185.132	www.google.com	United States		15169	GOOGLEUS	false
64.233.166.84	unknown	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.186.42	unknown	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.17
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590851
Start date and time:	2025-01-14 15:03:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@18/11@10/119

Warnings

Exclude process from analysis (whitelisted): TextInputHost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 172.217.18.14, 64.233.166.84, 142.250.186.78, 172.217.16.206, 2.23.77.188, 142.250.186.42, 142.250.184.234, 142.250.185.138, 172.217.16.138, 172.217.18.10, 142.250.186.138, 216.58.212.170, 142.250.184.202, 142.250.185.74, 172.217.23.106, 172.217.16.202, 216.58.206.74, 172.217.18.106, 142.250.185.106, 142.250.74.202, 142.250.186.74, 142.250.184.206, 172.217.18.110, 199.232.210.172
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, redirector.gvt1.com, content-autofill.googleapis.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com

LLM Input / Output

Input	Output
URL: http://quality.harman.com.sa Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: http://quality.harman.com.sa
URL: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Your session cookie is invalid. Please log in again.", "prominent_button_name": "Log in", "text_input_field_labels": [ "Email Address", "Password" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com Model: Joe Sandbox AI	{ "brands": [ "Webmail" ] }
	{ "brands": [ "Webmail" ] }
URL: https://quality.harman.com.sa Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://quality.harman.com.sa
URL: https://quality.harman.com.sa/Webmail/78/Webmail/w... Model: Joe Sandbox AI	```json { "risk_score": 2, "reasoning": "The script includes a form submission function that dynamically creates and submits a form, which is a moderate-risk behavior due to potential data transmission to external domains. However, there is no indication of malicious intent or interaction with suspicious domains. The script appears to be part of a login process, which is a legitimate context." }
var MESSAGES = {"success":"Login successful. Redirecting ","invalid_login":"The login is invalid.","ajax_timeout":"The connection timed out. Please try again.","read_below":"Read the important information below.","internal_error":"An internal error occurred. If this condition persists, contact the system administrator.","network_error":"A network error occurred during your login request. Please try again. If this condition persists, contact your network service provider.","authenticating":"Authenticating ","no_username":"You must specify a username to log in.","session_locale":"The desired locale has been saved to your browser. To change the locale in this browser again, select another locale on this screen."}; window.IS_LOGOUT = false; //submit_post.js (function(context){"use strict";var DOC=context.document;function _wrongType(name,value){throw new Error(""+name+" must be a string, number, or array, not "+value)}var scalarTypeIsOk={number:true,string:true};function submit(url,args){var myform=DOC.createElement("form");myform.method="POST";myform.action=url;myform.style.display="none";Object.keys(args).forEach(function(name){var values;if("object"===typeof args[name]){if(args[name]instanceof Array){values=args[name]}else{_wrongType(name,args[name])}}else if(scalarTypeIsOk[typeof args[name]]){values=[args[name]]}else{_wrongType(name,args[name])}values.forEach(function(val){var myvar=DOC.createElement("input");myvar.type="hidden";myvar.name=name;myvar.value=val;myform.appendChild(myvar)})});DOC.documentElement.appendChild(myform);myform.submit();DOC.documentElement.removeChild(myform)}context.SubmitPost={submit:submit}})(window); //jstz.min.js /! jstz - v1.0.4 - 2012-12-18 / (function(e){var t=function(){"use strict";var e="s",n=function(e){var t=-e.getTimezoneOffset();return t!==null?t:0},r=function(e,t,n){var r=new Date;return e!==undefined&&r.setFullYear(e),r.setDate(n),r.setMonth(t),r},i=function(e){return n(r(e,0,2))},s=function(e){return n(r(e,5,2))},o=function(e){var t=e.getMonth()>7?s(e.getFullYear()):i(e.getFullYear()),r=n(e);return t-r!==0},u=function(){var t=i(),n=s(),r=i()-s();return r<0?t+",1":r>0?n+",1,"+e:t+",0"},a=function(){var e=u();return new t.TimeZone(t.olson.timezones[e])},f=function(e){var t=new Date(2010,6,15,1,0,0,0),n={"America/Denver":new Date(2011,2,13,3,0,0,0),"America/Mazatlan":new Date(2011,3,3,3,0,0,0),"America/Chicago":new Date(2011,2,13,3,0,0,0),"America/Mexico_City":new Date(2011,3,3,3,0,0,0),"America/Asuncion":new Date(2012,9,7,3,0,0,0),"America/Santiago":new Date(2012,9,3,3,0,0,0),"America/Campo_Grande":new Date(2012,9,21,5,0,0,0),"America/Montevideo":new Date(2011,9,2,3,0,0,0),"America/Sao_Paulo":new Date(2011,9,16,5,0,0,0),"America/Los_Angeles":new Date(2011,2,13,8,0,0,0),"America/Santa_Isabel":new Date(2011,3,5,8,0,0,0),"America/Havana":new Date(2012,2,10,2,0,0,0),"America/New_York":new Date(2012,2,10,7,0,0,0),"Asia/Beirut":new Date(2011,2,27,1,0,0,0),"Europe/Helsinki":new Date(2011,2,27,4,0,0,0),"Europe/Istanbul":new Date(2011,2,28,5,0,0,0),"Asia/Damascus":new Date(2011,3,1,2,0,0,0),"Asia/Jerusalem":new Date(2011,3,1,6,0,0,0),"Asia/Gaza":new Date(2009,2,28,0,30,0,0),"Africa/Cairo":new Date(2009,3,25,0,30,0,0),"Pacific/Auckland":new Date(2011,8,26,7,0,0,0),"Pacific/Fiji":new Date(2010,11,29,23,0,0,0),"America/Halifax":new Date(2011,2,13,6,0,0,0),"America/Goose_Bay":new Date(2011,2,13,2,1,0,0),"America/Miquelon":new Date(2011,2,13,5,0,0,0),"America/Godthab":new Date(2011,2,27,1,0,0,0),"Europe/Moscow":t,"Asia/Yekaterinburg":t,"Asia/Omsk":t,"Asia/Krasnoyarsk":t,"Asia/Irkutsk":t,"Asia/Yakutsk":t,"Asia/Vladivostok":t,"Asia/Kamchatka":t,"Europe/Minsk":t,"Australia/Perth":new Date(2008,10,1,1,0,0,0)};return n[e]};return{determine:a,date_is_dst:o,dst_start_for:f}}();t.TimeZone=function(e){"use strict";var n={"America/Denver":["America/Denver","America/Mazatlan"],"America/Chicago":["America/Chicago","America/Mexico_City"],"America/Santiago":["America/Santiago","America/Asuncion","Ame
URL: https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com Model: Joe Sandbox AI	```json{ "legit_domain": "harman.com", "classification": "wellknown", "reasons": [ "The brand 'Harman' is well-known and associated with the domain 'harman.com'.", "The URL 'quality.harman.com.sa' includes 'harman.com', which is the legitimate domain for Harman.", "The '.sa' domain extension indicates a Saudi Arabian domain, which could be legitimate if Harman operates in that region.", "The subdomain 'quality' does not inherently indicate phishing, but it is not a typical subdomain for webmail services.", "The brand 'Webmail' is generic and not directly associated with Harman, which raises suspicion.", "The presence of input fields for 'Email Address' and 'Password' is typical for webmail services but could be used for phishing." ], "riskscore": 5}
URL: quality.harman.com.sa Brands: Webmail Input Fields: Email Address, Password

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 13:04:53 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9832015897001196
Encrypted:	false
SSDEEP:
MD5:	FF7AE82A18918DA268A8815EC598149B
SHA1:	BCCCCA8FDD565E2AAC4B25ABEC5003D9AF7F7996
SHA-256:	3EB811752B0CF78F722A1F8E0333465761085476C70B9D4BB8DD8C695A8AA66E
SHA-512:	D1EDCDF777225797F2F8F2227580D5763C78DBCDD14F331CAB913D35728071B9394E0B3AD9E5285612DA64CD3858799529056401580D4803100E998DCCE2E022
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....w.H.f......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Z.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Z.p....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Z.p....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Z.p...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Z.p...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............qHV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 13:04:53 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9956480471481433
Encrypted:	false
SSDEEP:
MD5:	A6FE2B6D5F1E7147C168159C435B1500
SHA1:	C9229588C736A05CB40A875020E4B8FE1BF44471
SHA-256:	0F751655ECF4F7BD7C274C1AAA785F7CDFC8C14E54C0328BCC9D2B85A590E42A
SHA-512:	4E5083CD6FEF8F3533A7C30C7F21F3901EB886FA9EF22950952DF0253F9CEB3A1542D24FD524C44DE7AE26CC100202F223E46D38494D8B267884F455A4393CEE
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......H.f......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Z.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Z.p....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Z.p....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Z.p...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Z.p...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............qHV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0103697750907115
Encrypted:	false
SSDEEP:
MD5:	6048B45C6FF38F362DE1622ABCA90996
SHA1:	90E5D461272F28629E4EC59B374AA020FE1532B7
SHA-256:	B353ED520D2A8BF4056BEE934C0998D7A336E9A6E45A53CB11D208AFC9E9848A
SHA-512:	72B8D7D2F3AFBD1D478271907580485C894AA7724B659B70E726B91C90C550A08E6BA50E807D412938FD7CAF9072A3C3A8B1559C740A8B926FB66D272223F36B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Z.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Z.p....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Z.p....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Z.p...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............qHV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 13:04:53 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9964506585383495
Encrypted:	false
SSDEEP:
MD5:	99916DCC4BBC90D9D63C65A356DEA404
SHA1:	86AD672FA8431961EF0C0648C1834D13CF80F650
SHA-256:	29E9DDB538DCFBBE35568B43C489B1117716CDD46EACF27D9C2A9828A53BD374
SHA-512:	450705DBB33EB614780768A6465A20BC600E3C5CFD817DFB045469A56FDB29B5F8B36FA0A85DA6E5EDE013CC10B154998C59C9EBF3178DA767B159F0D0B5D87A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......H.f......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Z.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Z.p....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Z.p....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Z.p...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Z.p...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............qHV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 13:04:53 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9864451925370847
Encrypted:	false
SSDEEP:
MD5:	370A0B47C20E5ACF6AC4F8C33306B24F
SHA1:	07DF1DFE0874AB9F83DAE09D88B116D493413652
SHA-256:	A9700A5732F924D3FADA6C1E57A8E50501C77D006CF05912AF6F883B098467F1
SHA-512:	C17B1EC85BDAD17EAAEAF5B11FE5778C43837200E759F02DC0FDD763021921925500CD5025781B197EDD4083296CD4942AFC6070593D59E6F580F21568C2FA3E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....,.H.f......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Z.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Z.p....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Z.p....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Z.p...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Z.p...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............qHV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jan 14 13:04:53 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.0000476997144965
Encrypted:	false
SSDEEP:
MD5:	E11E37BDB5C16D24B9E30FEC06BA65B7
SHA1:	BE404A12AC9FE77AAF4C5592438117162E9FCED7
SHA-256:	D2BD28ACCEEB46942D4131E1628C8A69D9D2314492EE9123D0F4810C5731A0E6
SHA-512:	C521157529BB58A52A25FEE7B815D36BDDDBE8638833078EDE702EA84E37CDD3E0FE0E43F54213E766583FBA84CADB040E3F8AF36DC3736E1D5502BF01E718F5
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......H.f......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Z.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Z.p....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Z.p....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Z.p...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Z.p...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............qHV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 65

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	28
Entropy (8bit):	4.066108939837481
Encrypted:	false
SSDEEP:
MD5:	D59DE2F2B1F18AFAAB6EFBB5E8D7DB42
SHA1:	77587B981A047955407905358D39950877368CC9
SHA-256:	E5D91D35F7D93D22881F28575657D7928D6A63A6381EB58B9759935171CD6A0D
SHA-512:	8D1BFAB6D22907F036BA0B8B5AF1B8FA1738C2F761B7373B93DBEF8790131844379206060CEA0CB059AA6D566A2FCDA102D391B0740F4618A573047BE660808A
Malicious:	false
Reputation:	unknown
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xNDkSFwl4919O_qtJFxIFDQiEZ_ESBQ3Fk8Qk?alt=proto
Preview:	ChIKBw0IhGfxGgAKBw3Fk8QkGgA=

Chrome Cache Entry: 66

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65374)
Category:	downloaded
Size (bytes):	84926
Entropy (8bit):	5.62378551414074
Encrypted:	false
SSDEEP:
MD5:	6BE752B6A895BC1F13E0602843CE2C99
SHA1:	B289069A2F7B123352F71631420976A459D44154
SHA-256:	E8D52843DB13FE3EDFD9B4BDFB1B0C27A270BD461B4657B33B44A087A777572E
SHA-512:	30DC9A69DFD62084B9D9DEEE88BCFDE21CDB9CEC6B82781968D696111A7E83073988E35BEBDF7F431EC77D65477C2372D56397DB9FDA0F529F12940A568C224A
Malicious:	false
Reputation:	unknown
URL:	https://quality.harman.com.sa/Webmail/78/Webmail/Webmail%20Login_files/style_v2_optimized.css
Preview:	/!. Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome. * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License). */@font-face{font-family:'FontAwesome';src:url(../fonts/fontawesome-webfont.eot?v=4.3.0);src:url(../fonts/fontawesome-webfont.eot?#iefix&v=4.3.0) format('embedded-opentype'),url(../fonts/fontawesome-webfont.woff2?v=4.3.0) format('woff2'),url(../fonts/fontawesome-webfont.woff?v=4.3.0) format('woff'),url(../fonts/fontawesome-webfont.ttf?v=4.3.0) format('truetype'),url(../fonts/fontawesome-webfont.svg?v=4.3.0#fontawesomeregular) format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal normal 14px/1 FontAwesome;font-size:inherit;text-rendering:auto;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;transform:translate(0,0)}.fa-lg{font-size:1.33333333em;line-height:.75em;vertical-align:-15%}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.f

Chrome Cache Entry: 67

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	5360
Entropy (8bit):	3.974791516885639
Encrypted:	false
SSDEEP:
MD5:	BC0C956653325B9E694D4DD1DFB78020
SHA1:	E1196E4DB68ED573355ADE966152A084581B40EC
SHA-256:	998CD48CDC0414F694D0A3A299DD2BEB1134769D5666C7E5567E7D20B4174EF8
SHA-512:	7C283E8723F01F57C7258EA05AA5D7A72A886246EDE76136F2D4DC489061D8400AA4B5F8E61F23F2388DD95FEA7307FAA2670AF09B309FAB6678DE16E547AE4E
Malicious:	false
Reputation:	unknown
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="1462pt" height="320" viewBox="0 0 1462 240"><defs><clipPath id="a"><path d="M1339 0h122.44v240H1339zm0 0"/></clipPath></defs><path d="M365.102 14.398l-43.204 160.204c-2.597 9.597-6.597 18.45-12 26.546-5.398 8.102-11.847 15-19.347 20.704-7.5 5.7-15.855 10.152-25.05 13.347-9.2 3.202-18.8 4.8-28.8 4.8H0L60.3 13.5c.997-3.996 3.153-7.246 6.45-9.75C70.05 1.254 73.8 0 78 0h32.102c3.796 0 6.847 1.5 9.148 4.5 2.297 3 2.95 6.3 1.95 9.898l-44.7 166.8h60.898l45-167.698c1-3.996 3.153-7.246 6.454-9.75 3.296-2.496 6.945-3.75 10.95-3.75h32.397c3.796 0 6.796 1.5 9 4.5 2.198 3 2.8 6.3 1.8 9.898l-44.7 166.8H234.9c7.204 0 13.653-2.143 19.352-6.448 5.7-4.297 9.45-9.945 11.25-16.95l38.7-144.3c1-3.996 3.152-7.246 6.448-9.75 3.3-2.496 7.05-3.75 11.25-3.75H354c3.797 0 6.852 1.5 9.148 4.5 2.297 3 2.954 6.3 1.954 9.898M414.598 116.25c-2.403 1.902-4.102 4.352-5.102 7.352l-13.5 51c-.8 2.8-.3 5.398 1.5 7.796 1.805 2.403 4.2 3.602 7.2 3.602h124.202l-9.597 35.7c-1.605 5.

Chrome Cache Entry: 68

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (6358), with no line terminators
Category:	downloaded
Size (bytes):	6358
Entropy (8bit):	5.046147874900214
Encrypted:	false
SSDEEP:
MD5:	476AFA553FEA4614728877A7CD478705
SHA1:	F3E85923BE9467BCB19DD9FE1A64B2094D6DBC7E
SHA-256:	919E3B6B5B80ECDFB3C87B5E3AA55F174C21A79ED75C63DE2DAB20394FF7A676
SHA-512:	3D2324AEDAC6465F78F33349414FAA91A2C37AA0BAF129958538175B48D39B94C845C192623408E79D096086D53B2C00C87C399D06F937957AB3A71AF2B4E9ED
Malicious:	false
Reputation:	unknown
URL:	https://quality.harman.com.sa/Webmail/78/Webmail/Webmail%20Login_files/open_sans.css
Preview:	@font-face{font-family:'Open Sans';src:url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.eot);src:url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.eot?#iefix) format('embedded-opentype'),url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.woff) format('woff'),url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.ttf) format('truetype'),url(OpenSans-Bold-webfont.svg#open_sansbold) format('svg');font-style:normal;font-weight:700}@font-face{font-family:'Open Sans';src:url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-BoldItalic-webfont.eot);src:url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-BoldItalic-webfont.eot?#iefix) format('embedded-opentype'),url(/cPanel_magic_revision_1386192031/unprotected/cpanel/fonts/open_sans/OpenSans-BoldItalic-webfont.wof

Chrome Cache Entry: 70

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (5306), with CRLF line terminators
Category:	downloaded
Size (bytes):	28994
Entropy (8bit):	5.421802274423114
Encrypted:	false
SSDEEP:
MD5:	60112838CDE49AEA83BD0420D691E594
SHA1:	5A0B75FA4F3A61DB746CA8E535712533712FAC77
SHA-256:	EA5FA05804C7CD3D271DCC9A3F5DA298996FDD70B84130ACCA3004304036D130
SHA-512:	8C01C6F44963C5D56F3FD046EA30C7434397195F0D864F591EF7E1AE4D2A8B6ED99D9FCA75A23EC458EA3796B56F0562411E277BB69530C17B530E66F389D2C0
Malicious:	false
Reputation:	unknown
URL:	https://quality.harman.com.sa/Webmail/78/Webmail/webmail.php?email=communication@treezor.com
Preview:	<!DOCTYPE html>..<html dir="ltr" lang="en"><head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">.. <meta name="google" content="notranslate">.. <meta name="apple-itunes-app" content="app-id=1188352635">.. <title>Webmail Login</title>.. <link rel="shortcut icon" href="data:image/x-icon;base64,AAABAAEAICAAAAEAIADSAgAAFgAAAIlQTkcNChoKAAAADUlIRFIAAAAgAAAAIAgGAAAAc3p69AAAAplJREFUWIXt1j2IHGUYB/DfOzdnjIKFkECIVWIKvUFsIkRExa9KJCLaWAgWJx4DilZWgpDDiI0wiViIoGATP1CCEDYHSeCwUBBkgiiKURQJFiLo4d0eOxYzC8nsO9m9XcXC+8MW+3z+9/l6l2383xH+iSBpElyTdoda26xsDqp/h0CVZ3vwKm7tMBngAs7h7eRYebG6hMtMBHbMBX89vfARHprQ5U8cwdFQlIOZCVR5di1+w/wWXT/EY6EoN5NZCODuKZLDwzgSMCuBe2fwfX6QZwtpWzqfBBtLC3txF/ZhxKbBGx0EfsTJS77vwmGjlZrD4mUzUOXZjVjGI65cnTXchB8iupdDUb7QinsQZ7GzZftdQj2JVZ49iC/w6JjksIo7OnS9tiA5Vn6GtyK2+1MY5NkhfGDygVrBAxH5WkPuMjR7/3UsUFLl2Q68s4XkA3ws3v9zoSjX28Kr5wL1xrTxa6ou+f6OZ

Static File Info

⊘No static file info