Edit tour

Windows Analysis Report
PaymentOnline.html

Overview

General Information

Sample name:	PaymentOnline.html
Analysis ID:	1500509
MD5:	4cacf32138486b8ca5adb3da029444eb
SHA1:	47f8ea09758e72f0c95fa25d3267deb4ee5f4e0d
SHA256:	f8b83a4418456313b2f77ebc2d03e24662e913782b576b872315084f91658f9d
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

HTML document with suspicious name

HTML file submission containing password form

Phishing site detected (based on image similarity)

Phishing site detected (based on logo match)

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4520 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\PaymentOnline.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2008,i,10137650121201936708,14751184556041639990,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on image similarity)

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

Matcher: Found strong image similarity, brand: MICROSOFT

Phishing site detected (based on logo match)

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

Matcher: Template: microsoft matched

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: Number of links: 0

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: Title: se does not match URL

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: <input type="password" .../> found

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: No favicon

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: Joe Sandbox View	IP Address: 151.101.65.229 151.101.65.229
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 195.80.159.133 195.80.159.133
Source: Joe Sandbox View	IP Address: 195.80.159.133 195.80.159.133

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /npm/@emailjs/browser@3/dist/email.min.js HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ip.js?var=userip HTTP/1.1Host: l2.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ip.js?var=userip HTTP/1.1Host: l2.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CyU75V7dEdNgGPP&MD=GouCRbga HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CyU75V7dEdNgGPP&MD=GouCRbga HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: l2.io
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: PaymentOnline.html	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: chromecache_64.2.dr	String found in binary or memory: https://api.emailjs.com
Source: PaymentOnline.html	String found in binary or memory: https://cdn.jsdelivr.net/npm/
Source: chromecache_67.2.dr, chromecache_64.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin
Source: chromecache_67.2.dr, chromecache_64.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin/account
Source: chromecache_67.2.dr, chromecache_64.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin/templates
Source: PaymentOnline.html	String found in binary or memory: https://getbootstrap.com)
Source: PaymentOnline.html	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: PaymentOnline.html	String found in binary or memory: https://l2.io/ip.js?var=userip

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49761 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: PaymentOnline.html

Initial sample: payment

Source: classification engine

Classification label: mal56.phis.winHTML@24/9@10/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\PaymentOnline.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2008,i,10137650121201936708,14751184556041639990,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2008,i,10137650121201936708,14751184556041639990,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/PaymentOnline.html

HTTP Parser: file:///C:/Users/user/Desktop/PaymentOnline.html

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://github.com/twbs/bootstrap/blob/master/LICENSE)	0%	Avira URL Cloud	safe
https://cdn.jsdelivr.net/npm/	0%	Avira URL Cloud	safe
https://getbootstrap.com)	0%	Avira URL Cloud	safe
https://cdn.jsdelivr.net/npm/@emailjs/browser@3/dist/email.min.js	0%	Avira URL Cloud	safe
file:///C:/Users/user/Desktop/PaymentOnline.html	0%	Avira URL Cloud	safe
https://l2.io/ip.js?var=userip	0%	Avira URL Cloud	safe
https://api.emailjs.com	0%	Avira URL Cloud	safe
https://dashboard.emailjs.com/admin/templates	0%	Avira URL Cloud	safe
https://dashboard.emailjs.com/admin/account	0%	Avira URL Cloud	safe
https://dashboard.emailjs.com/admin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jsdelivr.map.fastly.net	151.101.65.229	true	false	unknown
l2.io	195.80.159.133	true	false	unknown
www.google.com	172.217.16.132	true	false	unknown
cdn.jsdelivr.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.jsdelivr.net/npm/@emailjs/browser@3/dist/email.min.js	false	Avira URL Cloud: safe	unknown
file:///C:/Users/user/Desktop/PaymentOnline.html	true	Avira URL Cloud: safe	unknown
https://l2.io/ip.js?var=userip	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/twbs/bootstrap/blob/master/LICENSE)	PaymentOnline.html	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/	PaymentOnline.html	false	Avira URL Cloud: safe	unknown
https://dashboard.emailjs.com/admin/account	chromecache_67.2.dr, chromecache_64.2.dr	false	Avira URL Cloud: safe	unknown
https://api.emailjs.com	chromecache_64.2.dr	false	Avira URL Cloud: safe	unknown
https://dashboard.emailjs.com/admin/templates	chromecache_67.2.dr, chromecache_64.2.dr	false	Avira URL Cloud: safe	unknown
https://getbootstrap.com)	PaymentOnline.html	false	Avira URL Cloud: safe	unknown
https://dashboard.emailjs.com/admin	chromecache_67.2.dr, chromecache_64.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.65.229	jsdelivr.map.fastly.net	United States	54113	FASTLYUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
195.80.159.133	l2.io	France	29152	DECKNET-ASFR	false
172.217.16.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500509
Start date and time:	2024-08-28 15:33:49 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PaymentOnline.html
Detection:	MAL
Classification:	mal56.phis.winHTML@24/9@10/5
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.99, 142.250.186.142, 74.125.71.84, 216.58.206.74, 104.18.186.31, 104.18.187.31, 34.104.35.123, 216.58.212.170, 2.16.100.168, 192.229.221.95, 142.250.184.234, 142.250.186.42, 142.250.74.202, 216.58.206.42, 142.250.186.170, 142.250.186.74, 142.250.185.202, 172.217.16.202, 172.217.16.138, 172.217.18.10, 142.250.184.202, 142.250.185.170, 142.250.181.234, 142.250.185.234, 142.250.184.227, 142.250.185.206
Excluded domains from analysis (whitelisted): clients1.google.com, cdn.jsdelivr.net.cdn.cloudflare.net, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ajax.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: PaymentOnline.html

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	Password Expiration Notification.msg	Get hash	malicious	Unknown	Browse
	https://google.mg/url?hl=en&q=https://google.nr/url?q=Gl7qws6TcZ&rct=4214&sa=t&esrc=vax&source=Gl7qws6TcZ&cd=Nzpn8b&cad=Gl7qws6TcZD5&ved=Gl7qws6TcZ84214G&uact=82299&url=amp%2Fgoogle.com.pg/amp/cli.re/rp5Y1r#YW5kcmV3QGhlZWRkaWdpdGFsbWVkaWEuY29t%2F&opi=256371986142&usg=lxfGUQNysmkDx&source=gmail&ust=5108318229914681&usg=AOGl7qws6TcZjng81rOWFwZGl7qws6TcZqR81	Get hash	malicious	HTMLPhisher	Browse
	mmclaughlin-In Service Agreement-41918.pdf	Get hash	malicious	HTMLPhisher	Browse
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse
	https://berajpaints.com.pk/tag/dolor/	Get hash	malicious	Unknown	Browse
	http://jop2024.sciencesconf.org/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse
	Proforma.Invoice.Payment.$$.html	Get hash	malicious	Unknown	Browse
	https://hattenforlag.se	Get hash	malicious	Unknown	Browse
195.80.159.133	FbF3uCH1M3.exe	Get hash	malicious	Unknown	Browse	www.l2.io/ip
	6dqTzK7uUB.exe	Get hash	malicious	Unknown	Browse	www.l2.io/ip
	PR9Hc4n9Vg.exe	Get hash	malicious	Unknown	Browse	www.l2.io/ip
	Xkly3iW7wH.exe	Get hash	malicious	Unknown	Browse	www.l2.io/ip
	6G3bMss9Bl.exe	Get hash	malicious	Unknown	Browse	www.l2.io/ip
	20202237F.html	Get hash	malicious	HTMLPhisher	Browse	l2.io/ip.js?var=userip
151.101.65.229	https://www.unitek-products.com/products/1-5m-hdmi-v2-1-cable	Get hash	malicious	Unknown	Browse
	http://claimlive0.pages.dev/	Get hash	malicious	Unknown	Browse
	DOC-80697077.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://files.fm/u/vtrxvgdh6w	Get hash	malicious	GuLoader	Browse
	http://ebay.to/3u2gAme	Get hash	malicious	Unknown	Browse
	http://o62arw.dsjpropertymanagementllc.com	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	https://request-label-1356355851.pages.dev/robots.txt/	Get hash	malicious	Unknown	Browse
	https://help-extensin-coinbse.webflow.io/	Get hash	malicious	Unknown	Browse
	https://buy-korea-online.vercel.app/?web=th.park@hdel.co.kr	Get hash	malicious	Unknown	Browse
	http://6wuo11ea9pufk7b81cbzel3jw5iijs6wuo11ea9pufk7b81cbzel3jw5iijs.s3-website-us-east-1.amazonaws.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jsdelivr.map.fastly.net	CXWk52EmUt.exe	Get hash	malicious	Unknown	Browse	151.101.129.229
	http://pub-10050726d25949d8bd6cb438a8b6b09c.r2.dev/home.html	Get hash	malicious	Unknown	Browse	151.101.129.229
	http://get-verified-free-badge.vercel.app/	Get hash	malicious	Unknown	Browse	151.101.129.229
	https://hamimtalukdar.github.io/Facebook-Login-To-Link	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://mellifluous-squirrel-aca5c4.netlify.app/	Get hash	malicious	Unknown	Browse	151.101.129.229
	https://www.unitek-products.com/products/1-5m-hdmi-v2-1-cable	Get hash	malicious	Unknown	Browse	151.101.65.229
	http://claimlive0.pages.dev/	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://pub-d7ea140b75d84515876a7b3907716f0b.r2.dev/OTDISDHFHDJ728783YEBDJHDHDI7092065674-AAHkRTWk91gKycvF_QD3tylL-zHMyVJ083E%207092065674-AAHkRTWk91gKycvF_QD3tylL-zHMyVJ083E%207092065674-AAHkRTWk91gKycvF_QD3tylL-zHMyVJ083DHD834GHF8.html?$deeplink_path=/paystubs/78b0e9e4-d2bc-4f7e-b4da-9d23f146a29a&_branch_match_id=1343911699625856863&_branch_referrer=H4sIAAAAAAAAA21NwU6EMBD9mvVWcEtZwGRjICAsh03MxJTtZdPSQhVUQkGyf29RT4Y5zMx7894bPU2DeXDdt9lMy%20fYGYcPg9O/fnTu4w4TqdSwguvAJ33c4aeB38w0C2PXIBT3KlIESSxqRJpAIUEkR5HEXrMnB44jfmczGt73gtfddR77o17/7bzY%20te0WSBi5aEkai%209hviEhL44hKT2PE9gP2iUM2JHqi%20rfqaQFmlBL9kpOwEqIanOVcLO7B%205qfntdPOWQQoAVZUCYwBpamEcWya2haCA3L7N/%20aGPWGshNLey9bwlusizuMLLWjZ8lYbvdwWndMfM8ALzYoSHD29999vIfWFewEAAA==	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	151.101.1.229
	DOC-71275297.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
	DOC-80697077.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
l2.io	https://rogue-orange-foe.glitch.me/public/USANFCU.html	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://orchid-pineapple-lead.glitch.me/public/navyfederal.html	Get hash	malicious	Unknown	Browse	195.80.159.133
	Investec Payment-Copy.pdf	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://sassy-magnificent-antimatter.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://futuristic-gem-wood.glitch.me/public/sm5cde.HTM	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://tarry-foggy-contraption.glitch.me/public/sm5cde.HTM	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://phase-enthusiastic-wallaby.glitch.me/public/RRENFCONL0.HTML	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://petalite-crocus-mitten.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	file.html	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://www.uploadhub.io/ZFoF4yMt1IvJbMd/file	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	mmclaughlin-In Service Agreement-41918.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse	151.101.1.74
	https://berajpaints.com.pk/tag/dolor/	Get hash	malicious	Unknown	Browse	151.101.194.137
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	Proforma.Invoice.Payment.$$.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://pharmakon-my.sharepoint.com/:f:/g/personal/338im_apoteket_dk/Eq4jY345UJRKi6ZZAILr_qwBOqxx0J6kY0J-kac06geioQ?e=XPAoa6%20pharmakon-my.sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	External VM-Transcript Caller Left 3 CALLMSGS 000047Secs 2808.eml.msg	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://zngw.officeinvoicedoc.com/DhpuI	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://silverangelshomes.com/res444.php?4-68747470733a2f2f684a456d2e6c64656e626572616e2e636f6d2f4d33306830536a4f2f-	Get hash	malicious	HTMLPhisher	Browse	199.232.188.84
	https://nr-srpack-dk-payment-conformations.fushenq.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
DECKNET-ASFR	https://rogue-orange-foe.glitch.me/public/USANFCU.html	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://orchid-pineapple-lead.glitch.me/public/navyfederal.html	Get hash	malicious	Unknown	Browse	195.80.159.133
	Investec Payment-Copy.pdf	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://sassy-magnificent-antimatter.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://futuristic-gem-wood.glitch.me/public/sm5cde.HTM	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://tarry-foggy-contraption.glitch.me/public/sm5cde.HTM	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://phase-enthusiastic-wallaby.glitch.me/public/RRENFCONL0.HTML	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://petalite-crocus-mitten.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	file.html	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133
	https://www.uploadhub.io/ZFoF4yMt1IvJbMd/file	Get hash	malicious	HTMLPhisher	Browse	195.80.159.133

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Password Expiration Notification.msg	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	https://google.mg/url?hl=en&q=https://google.nr/url?q=Gl7qws6TcZ&rct=4214&sa=t&esrc=vax&source=Gl7qws6TcZ&cd=Nzpn8b&cad=Gl7qws6TcZD5&ved=Gl7qws6TcZ84214G&uact=82299&url=amp%2Fgoogle.com.pg/amp/cli.re/rp5Y1r#YW5kcmV3QGhlZWRkaWdpdGFsbWVkaWEuY29t%2F&opi=256371986142&usg=lxfGUQNysmkDx&source=gmail&ust=5108318229914681&usg=AOGl7qws6TcZjng81rOWFwZGl7qws6TcZqR81	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.12.23.50
	mmclaughlin-In Service Agreement-41918.pdf	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.12.23.50
	https://berajpaints.com.pk/tag/dolor/	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	http://jop2024.sciencesconf.org/	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	mbda-us.comAudiowav012.html	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.12.23.50
	Proforma.Invoice.Payment.$$.html	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	https://hattenforlag.se	Get hash	malicious	Unknown	Browse	184.28.90.27 20.12.23.50
	https://pharmakon-my.sharepoint.com/:f:/g/personal/338im_apoteket_dk/Eq4jY345UJRKi6ZZAILr_qwBOqxx0J6kY0J-kac06geioQ?e=XPAoa6%20pharmakon-my.sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.12.23.50

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2058), with no line terminators
Category:	downloaded
Size (bytes):	2058
Entropy (8bit):	5.2275519102374925
Encrypted:	false
SSDEEP:	48:I54twbMVLUwxlRiCXloJpA+D+F0N+4+DSnm7DGl46YXkgs2:I5nb+YaHP1oJC+iF0J+enm7I43X42
MD5:	AAF4B4C066039688024B3EB28B99260D
SHA1:	3D7499D713898A2798F449D8B3528D4094475208
SHA-256:	249F5139F01396E20B067FBE6DB17315981FB1C36C64D64DF224BCF0F8750EAB
SHA-512:	9BF344AC90C909CB03955757565B9E442BDC411BDF90303C894FB571005F9C1ED211852BCA4503BE8B59C1F2980B2D94B6E511690DB475A51AD7672FB05E22DC
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://cdn.jsdelivr.net/npm/@emailjs/browser@3/dist/email.min.js
Preview:	(()=>{"use strict";var e={d:(t,r)=>{for(var i in r)e.o(r,i)&&!e.o(t,i)&&Object.defineProperty(t,i,{enumerable:!0,get:r[i]})},o:(e,t)=>Object.prototype.hasOwnProperty.call(e,t),r:e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})}},t={};e.r(t),e.d(t,{default:()=>l,init:()=>i,send:()=>a,sendForm:()=>d});const r={_origin:"https://api.emailjs.com"},i=function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"https://api.emailjs.com";r._userID=e,r._origin=t},s=(e,t,r)=>{if(!e)throw"The public key is required. Visit https://dashboard.emailjs.com/admin/account";if(!t)throw"The service ID is required. Visit https://dashboard.emailjs.com/admin";if(!r)throw"The template ID is required. Visit https://dashboard.emailjs.com/admin/templates";return!0};class o{constructor(e){this.status=e?e.status:0,this.text=e?e.responseText:"Network Error"}}const n=function(e,t){let i=argume

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32065)
Category:	dropped
Size (bytes):	85578
Entropy (8bit):	5.366055229017455
Encrypted:	false
SSDEEP:	1536:EYE1JVoiB9JqZdXXe2pD3PgoIiulrUndZ6a4tfOR7WpfWBZ2BJda4w9W3qG9a986:v4J+OlfOhWppCW6G9a98Hr2
MD5:	2F6B11A7E914718E0290410E85366FE9
SHA1:	69BB69E25CA7D5EF0935317584E6153F3FD9A88C
SHA-256:	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
SHA-512:	0D40BCCAA59FEDECF7243D63B33C42592541D0330FEFC78EC81A4C6B9689922D5B211011CA4BE23AE22621CCE4C658F52A1552C92D7AC3615241EB640F8514DB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	/! jQuery v2.2.4 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call

Chrome Cache Entry: 66

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	23
Entropy (8bit):	3.9361804341297555
Encrypted:	false
SSDEEP:	3:DyclXMR+:jlXL
MD5:	897649DC7E9CF59CEBDAB71F646DDD17
SHA1:	F114154FB4DCC8EABF0DDD69D93E70B6671F2953
SHA-256:	3BBA16385794C5E9C9964B9B9BB99AA7806209ADE2988485046376E8768E273C
SHA-512:	7CF4460FF9BA241D6383D4C32198B381C1870B79D0C8C7F4B71745F87B0FE891890BF292013B43D5BDF026637516153D13A230D6F6293B7776A81509CE169EEE
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://l2.io/ip.js?var=userip
Preview:	userip = "8.46.123.33";

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2058), with no line terminators
Category:	dropped
Size (bytes):	2058
Entropy (8bit):	5.2275519102374925
Encrypted:	false
SSDEEP:	48:I54twbMVLUwxlRiCXloJpA+D+F0N+4+DSnm7DGl46YXkgs2:I5nb+YaHP1oJC+iF0J+enm7I43X42
MD5:	AAF4B4C066039688024B3EB28B99260D
SHA1:	3D7499D713898A2798F449D8B3528D4094475208
SHA-256:	249F5139F01396E20B067FBE6DB17315981FB1C36C64D64DF224BCF0F8750EAB
SHA-512:	9BF344AC90C909CB03955757565B9E442BDC411BDF90303C894FB571005F9C1ED211852BCA4503BE8B59C1F2980B2D94B6E511690DB475A51AD7672FB05E22DC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	(()=>{"use strict";var e={d:(t,r)=>{for(var i in r)e.o(r,i)&&!e.o(t,i)&&Object.defineProperty(t,i,{enumerable:!0,get:r[i]})},o:(e,t)=>Object.prototype.hasOwnProperty.call(e,t),r:e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})}},t={};e.r(t),e.d(t,{default:()=>l,init:()=>i,send:()=>a,sendForm:()=>d});const r={_origin:"https://api.emailjs.com"},i=function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"https://api.emailjs.com";r._userID=e,r._origin=t},s=(e,t,r)=>{if(!e)throw"The public key is required. Visit https://dashboard.emailjs.com/admin/account";if(!t)throw"The service ID is required. Visit https://dashboard.emailjs.com/admin";if(!r)throw"The template ID is required. Visit https://dashboard.emailjs.com/admin/templates";return!0};class o{constructor(e){this.status=e?e.status:0,this.text=e?e.responseText:"Network Error"}}const n=function(e,t){let i=argume

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.9361804341297555
Encrypted:	false
SSDEEP:	3:DyclXMR+:jlXL
MD5:	897649DC7E9CF59CEBDAB71F646DDD17
SHA1:	F114154FB4DCC8EABF0DDD69D93E70B6671F2953
SHA-256:	3BBA16385794C5E9C9964B9B9BB99AA7806209ADE2988485046376E8768E273C
SHA-512:	7CF4460FF9BA241D6383D4C32198B381C1870B79D0C8C7F4B71745F87B0FE891890BF292013B43D5BDF026637516153D13A230D6F6293B7776A81509CE169EEE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	userip = "8.46.123.33";

Chrome Cache Entry: 69

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32065)
Category:	downloaded
Size (bytes):	85578
Entropy (8bit):	5.366055229017455
Encrypted:	false
SSDEEP:	1536:EYE1JVoiB9JqZdXXe2pD3PgoIiulrUndZ6a4tfOR7WpfWBZ2BJda4w9W3qG9a986:v4J+OlfOhWppCW6G9a98Hr2
MD5:	2F6B11A7E914718E0290410E85366FE9
SHA1:	69BB69E25CA7D5EF0935317584E6153F3FD9A88C
SHA-256:	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
SHA-512:	0D40BCCAA59FEDECF7243D63B33C42592541D0330FEFC78EC81A4C6B9689922D5B211011CA4BE23AE22621CCE4C658F52A1552C92D7AC3615241EB640F8514DB
Malicious:	false
URL:	https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Preview:	/! jQuery v2.2.4 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (755)
Entropy (8bit):	6.111868428475651
TrID:	Scalable Vector Graphics (18501/1) 24.18% HyperText Markup Language (12001/1) 15.69% HyperText Markup Language (12001/1) 15.69% HyperText Markup Language (11501/1) 15.03% HyperText Markup Language (11501/1) 15.03%
File name:	PaymentOnline.html
File size:	658'162 bytes
MD5:	4cacf32138486b8ca5adb3da029444eb
SHA1:	47f8ea09758e72f0c95fa25d3267deb4ee5f4e0d
SHA256:	f8b83a4418456313b2f77ebc2d03e24662e913782b576b872315084f91658f9d
SHA512:	05f489bd7f076078b7b5426bcd6927da839b1e8480328a0a78bab112cbae4c046ccb55e685f35a48a5b6e45a4fc3718982915054626dce062eb41d45862a19db
SSDEEP:	12288:vN6L85UGPStyn9nG8//JVkPeMW307F10G1bmpNdMq:IL8/PZJW2MWiKGMpTMq
TLSH:	30E4B03BF490351D925BC5687490FBFA0FEE4283D2171AF6B4E727204B8A9C6092BD5D
File Content Preview:	<html lang="en">.<head>. <meta http-equiv="x-ua-compatible" content="EmulateIE9" />.<meta charset="utf-8" />.<meta.name="viewport".content="width=device-width, initial-scale=1, shrink-to-fit=no"./>..<title>se</title>.<meta http-equiv="imagetoolbar" conte

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 15:34:53.933428049 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:53.933465004 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:53.933521032 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:53.933806896 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:53.933823109 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:53.943955898 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:53.943984985 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:53.944039106 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:53.944179058 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:53.944195032 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.398724079 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.399036884 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.399068117 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.400221109 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.400296926 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.402446985 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.402502060 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.403145075 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.403152943 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.443428040 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.582561970 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.582632065 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.582674980 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.582685947 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.582720995 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.585067987 CEST	49733	443	192.168.2.4	151.101.65.229
Aug 28, 2024 15:34:54.585093021 CEST	443	49733	151.101.65.229	192.168.2.4
Aug 28, 2024 15:34:54.653398991 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.653661013 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.653702974 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.654553890 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.654608011 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.656378031 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.656435966 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.656713963 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.656724930 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.719806910 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.909252882 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.909307957 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.909380913 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.911895037 CEST	49735	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.911917925 CEST	443	49735	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.978106976 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.978147030 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:54.978256941 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.978521109 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:54.978538036 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.680939913 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.699471951 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:56.699512005 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.700611115 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.700681925 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:56.718624115 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:56.718687057 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.737344980 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:56.737371922 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.785554886 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:56.944195032 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.944262981 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:56.944317102 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:58.116324902 CEST	49739	443	192.168.2.4	195.80.159.133
Aug 28, 2024 15:34:58.116358995 CEST	443	49739	195.80.159.133	192.168.2.4
Aug 28, 2024 15:34:58.331118107 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:58.331166029 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:58.331218958 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:58.332170010 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:58.332189083 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:58.469166040 CEST	49672	443	192.168.2.4	173.222.162.32
Aug 28, 2024 15:34:58.469209909 CEST	443	49672	173.222.162.32	192.168.2.4
Aug 28, 2024 15:34:58.647200108 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:34:58.647254944 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:34:58.647344112 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:34:58.649341106 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:34:58.649353981 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:34:58.967837095 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:58.968907118 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:58.968931913 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:58.969872952 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:58.969927073 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:59.025577068 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:59.025660992 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:59.173609972 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:59.173630953 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:34:59.228882074 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:34:59.228938103 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:34:59.229026079 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:34:59.230926037 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:34:59.230990887 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:34:59.233485937 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:34:59.233515024 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:34:59.240334034 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:34:59.240350008 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:34:59.240566015 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:34:59.361144066 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:34:59.361285925 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:34:59.899564028 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:34:59.899640083 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:34:59.902463913 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:34:59.902486086 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:34:59.902744055 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:34:59.943010092 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:34:59.988502026 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:00.064095020 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.108500957 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.175785065 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:00.175836086 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:00.175946951 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:00.176054955 CEST	49748	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:00.176074982 CEST	443	49748	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:00.255182028 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255206108 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255213976 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255250931 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255275965 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255280018 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.255294085 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255326033 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255348921 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.255348921 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.255372047 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.255532026 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255539894 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255589008 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.255598068 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.255966902 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:00.256017923 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:00.385075092 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:00.385143042 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:00.386276960 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:00.386703014 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:00.386727095 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.024204016 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:01.024246931 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:01.024261951 CEST	49747	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:01.024269104 CEST	443	49747	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:01.065443039 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.065505028 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:01.069560051 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:01.069571972 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.069802999 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.075484037 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:01.120498896 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.343781948 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.343842030 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.343910933 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:01.344667912 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:01.344690084 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:01.344701052 CEST	49752	443	192.168.2.4	184.28.90.27
Aug 28, 2024 15:35:01.344707012 CEST	443	49752	184.28.90.27	192.168.2.4
Aug 28, 2024 15:35:02.845473051 CEST	49723	80	192.168.2.4	88.221.110.91
Aug 28, 2024 15:35:02.850847006 CEST	80	49723	88.221.110.91	192.168.2.4
Aug 28, 2024 15:35:02.850919008 CEST	49723	80	192.168.2.4	88.221.110.91
Aug 28, 2024 15:35:08.875667095 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:08.875724077 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:08.875824928 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:08.877718925 CEST	49746	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:08.877744913 CEST	443	49746	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:37.610922098 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:37.610982895 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:37.611304998 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:37.611515045 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:37.611526012 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.194200993 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.194276094 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.198779106 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.198788881 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.198987961 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.209124088 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.252505064 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.402059078 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.402085066 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.402098894 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.402143955 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.402158976 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.402198076 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.402216911 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.403614998 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.403662920 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.403681993 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.403687000 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.403696060 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.403712034 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.403736115 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.407826900 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.407840967 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:38.407860041 CEST	49761	443	192.168.2.4	20.12.23.50
Aug 28, 2024 15:35:38.407865047 CEST	443	49761	20.12.23.50	192.168.2.4
Aug 28, 2024 15:35:51.748606920 CEST	49724	80	192.168.2.4	93.184.221.240
Aug 28, 2024 15:35:51.753916025 CEST	80	49724	93.184.221.240	192.168.2.4
Aug 28, 2024 15:35:51.754108906 CEST	49724	80	192.168.2.4	93.184.221.240
Aug 28, 2024 15:35:58.558233023 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:58.558278084 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:58.558600903 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:58.558600903 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:58.558629990 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:59.188517094 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:59.189122915 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:59.189136028 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:59.189446926 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:59.190026045 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:35:59.190082073 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:35:59.232681036 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:36:09.109613895 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:36:09.109673977 CEST	443	49763	172.217.16.132	192.168.2.4
Aug 28, 2024 15:36:09.109982014 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:36:10.203836918 CEST	49763	443	192.168.2.4	172.217.16.132
Aug 28, 2024 15:36:10.203866005 CEST	443	49763	172.217.16.132	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 15:34:53.847583055 CEST	53	61098	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:53.923221111 CEST	59814	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:53.923341990 CEST	51947	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:53.923662901 CEST	65030	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:53.923768997 CEST	49728	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:53.928849936 CEST	53	50952	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:53.932811975 CEST	53	59814	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:53.932821989 CEST	53	51947	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:53.932832003 CEST	53	61469	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:53.932841063 CEST	53	65030	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:53.943648100 CEST	53	49728	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:54.591972113 CEST	56935	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:54.592441082 CEST	63461	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:54.599035978 CEST	53	63461	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:54.932773113 CEST	53	60154	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:54.958683014 CEST	53559	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:54.958820105 CEST	52210	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:54.965404987 CEST	53	53559	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:54.976342916 CEST	53	52210	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:55.360589981 CEST	53	61440	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:58.320451021 CEST	64386	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:58.320703030 CEST	53673	53	192.168.2.4	1.1.1.1
Aug 28, 2024 15:34:58.328872919 CEST	53	53673	1.1.1.1	192.168.2.4
Aug 28, 2024 15:34:58.328980923 CEST	53	64386	1.1.1.1	192.168.2.4
Aug 28, 2024 15:35:03.317987919 CEST	138	138	192.168.2.4	192.168.2.255
Aug 28, 2024 15:35:06.491921902 CEST	53	51580	1.1.1.1	192.168.2.4
Aug 28, 2024 15:35:12.009068012 CEST	53	56596	1.1.1.1	192.168.2.4
Aug 28, 2024 15:35:30.932885885 CEST	53	65006	1.1.1.1	192.168.2.4
Aug 28, 2024 15:35:53.697453022 CEST	53	55003	1.1.1.1	192.168.2.4
Aug 28, 2024 15:35:53.866185904 CEST	53	58164	1.1.1.1	192.168.2.4
Aug 28, 2024 15:36:22.771543980 CEST	53	54201	1.1.1.1	192.168.2.4
Aug 28, 2024 15:37:08.913265944 CEST	53	52801	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 28, 2024 15:34:53.923221111 CEST	192.168.2.4	1.1.1.1	0x734d	Standard query (0)	cdn.jsdelivr.net	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:53.923341990 CEST	192.168.2.4	1.1.1.1	0x5f1	Standard query (0)	cdn.jsdelivr.net	65	IN (0x0001)	false
Aug 28, 2024 15:34:53.923662901 CEST	192.168.2.4	1.1.1.1	0x5ae0	Standard query (0)	l2.io	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:53.923768997 CEST	192.168.2.4	1.1.1.1	0x3217	Standard query (0)	l2.io	65	IN (0x0001)	false
Aug 28, 2024 15:34:54.591972113 CEST	192.168.2.4	1.1.1.1	0xef98	Standard query (0)	cdn.jsdelivr.net	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:54.592441082 CEST	192.168.2.4	1.1.1.1	0x1d2f	Standard query (0)	cdn.jsdelivr.net	65	IN (0x0001)	false
Aug 28, 2024 15:34:54.958683014 CEST	192.168.2.4	1.1.1.1	0x5399	Standard query (0)	l2.io	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:54.958820105 CEST	192.168.2.4	1.1.1.1	0xe1b1	Standard query (0)	l2.io	65	IN (0x0001)	false
Aug 28, 2024 15:34:58.320451021 CEST	192.168.2.4	1.1.1.1	0x944b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:58.320703030 CEST	192.168.2.4	1.1.1.1	0xd776	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 15:34:53.932811975 CEST	1.1.1.1	192.168.2.4	0x734d	No error (0)	cdn.jsdelivr.net	jsdelivr.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 15:34:53.932811975 CEST	1.1.1.1	192.168.2.4	0x734d	No error (0)	jsdelivr.map.fastly.net		151.101.65.229	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:53.932811975 CEST	1.1.1.1	192.168.2.4	0x734d	No error (0)	jsdelivr.map.fastly.net		151.101.129.229	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:53.932811975 CEST	1.1.1.1	192.168.2.4	0x734d	No error (0)	jsdelivr.map.fastly.net		151.101.193.229	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:53.932811975 CEST	1.1.1.1	192.168.2.4	0x734d	No error (0)	jsdelivr.map.fastly.net		151.101.1.229	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:53.932821989 CEST	1.1.1.1	192.168.2.4	0x5f1	No error (0)	cdn.jsdelivr.net	jsdelivr.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 15:34:53.932841063 CEST	1.1.1.1	192.168.2.4	0x5ae0	No error (0)	l2.io		195.80.159.133	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:54.598712921 CEST	1.1.1.1	192.168.2.4	0xef98	No error (0)	cdn.jsdelivr.net	cdn.jsdelivr.net.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 15:34:54.599035978 CEST	1.1.1.1	192.168.2.4	0x1d2f	No error (0)	cdn.jsdelivr.net	jsdelivr.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 15:34:54.965404987 CEST	1.1.1.1	192.168.2.4	0x5399	No error (0)	l2.io		195.80.159.133	A (IP address)	IN (0x0001)	false
Aug 28, 2024 15:34:58.328872919 CEST	1.1.1.1	192.168.2.4	0xd776	No error (0)	www.google.com			65	IN (0x0001)	false
Aug 28, 2024 15:34:58.328980923 CEST	1.1.1.1	192.168.2.4	0x944b	No error (0)	www.google.com		172.217.16.132	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn.jsdelivr.net

l2.io

slscr.update.microsoft.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	151.101.65.229	443	4928	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:34:54 UTC	520	OUT	GET /npm/@emailjs/browser@3/dist/email.min.js HTTP/1.1 Host: cdn.jsdelivr.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-28 13:34:54 UTC	757	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2058 Access-Control-Allow-Origin: * Access-Control-Expose-Headers: * Timing-Allow-Origin: * Cache-Control: public, max-age=604800, s-maxage=43200 Cross-Origin-Resource-Policy: cross-origin X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Type: application/javascript; charset=utf-8 X-JSD-Version: 3.12.1 X-JSD-Version-Type: version ETag: W/"80a-PXSZ1xOJiieY9EnYs1KNQJRHUgg" Accept-Ranges: bytes Age: 25433 Date: Wed, 28 Aug 2024 13:34:54 GMT X-Served-By: cache-fra-etou8220134-FRA, cache-ewr-kewr1740025-EWR X-Cache: HIT, MISS Vary: Accept-Encoding alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
2024-08-28 13:34:54 UTC	1378	IN	Data Raw: 28 28 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 76 61 72 20 65 3d 7b 64 3a 28 74 2c 72 29 3d 3e 7b 66 6f 72 28 76 61 72 20 69 20 69 6e 20 72 29 65 2e 6f 28 72 2c 69 29 26 26 21 65 2e 6f 28 74 2c 69 29 26 26 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 69 2c 7b 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 67 65 74 3a 72 5b 69 5d 7d 29 7d 2c 6f 3a 28 65 2c 74 29 3d 3e 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 65 2c 74 29 2c 72 3a 65 3d 3e 7b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 26 26 53 79 6d 62 6f 6c 2e 74 6f 53 74 72 69 6e 67 54 61 67 26 26 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 53 Data Ascii: (()=>{"use strict";var e={d:(t,r)=>{for(var i in r)e.o(r,i)&&!e.o(t,i)&&Object.defineProperty(t,i,{enumerable:!0,get:r[i]})},o:(e,t)=>Object.prototype.hasOwnProperty.call(e,t),r:e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,S
2024-08-28 13:34:54 UTC	680	IN	Data Raw: 2c 61 3d 28 65 2c 74 2c 69 2c 6f 29 3d 3e 7b 63 6f 6e 73 74 20 61 3d 6f 7c 7c 72 2e 5f 75 73 65 72 49 44 3b 73 28 61 2c 65 2c 74 29 3b 63 6f 6e 73 74 20 64 3d 7b 6c 69 62 5f 76 65 72 73 69 6f 6e 3a 22 33 2e 31 32 2e 31 22 2c 75 73 65 72 5f 69 64 3a 61 2c 73 65 72 76 69 63 65 5f 69 64 3a 65 2c 74 65 6d 70 6c 61 74 65 5f 69 64 3a 74 2c 74 65 6d 70 6c 61 74 65 5f 70 61 72 61 6d 73 3a 69 7d 3b 72 65 74 75 72 6e 20 6e 28 22 2f 61 70 69 2f 76 31 2e 30 2f 65 6d 61 69 6c 2f 73 65 6e 64 22 2c 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 64 29 2c 7b 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 7d 29 7d 2c 64 3d 28 65 2c 74 2c 69 2c 6f 29 3d 3e 7b 63 6f 6e 73 74 20 61 3d 6f 7c 7c 72 2e 5f 75 73 65 72 49 44 2c 64 Data Ascii: ,a=(e,t,i,o)=>{const a=o\|\|r._userID;s(a,e,t);const d={lib_version:"3.12.1",user_id:a,service_id:e,template_id:t,template_params:i};return n("/api/v1.0/email/send",JSON.stringify(d),{"Content-type":"application/json"})},d=(e,t,i,o)=>{const a=o\|\|r._userID,d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	195.80.159.133	443	4928	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:34:54 UTC	485	OUT	GET /ip.js?var=userip HTTP/1.1 Host: l2.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-28 13:34:54 UTC	167	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 13:34:54 GMT Server: Apache/2.4.38 (Debian) Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8
2024-08-28 13:34:54 UTC	23	IN	Data Raw: 75 73 65 72 69 70 20 3d 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 3b Data Ascii: userip = "8.46.123.33";

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	195.80.159.133	443	4928	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:34:56 UTC	345	OUT	GET /ip.js?var=userip HTTP/1.1 Host: l2.io Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-28 13:34:56 UTC	167	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 13:34:56 GMT Server: Apache/2.4.38 (Debian) Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8
2024-08-28 13:34:56 UTC	23	IN	Data Raw: 75 73 65 72 69 70 20 3d 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 3b Data Ascii: userip = "8.46.123.33";

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49748	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:34:59 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-28 13:35:00 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=244857 Date: Wed, 28 Aug 2024 13:35:00 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:35:00 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CyU75V7dEdNgGPP&MD=GouCRbga HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-28 13:35:00 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 40e8f7b7-c931-4826-8385-37850ec0af2f MS-RequestId: 0a3ccce1-b60e-497f-9123-8b8fedbe964d MS-CV: w3BkM+nKbUma+Ry3.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 28 Aug 2024 13:34:59 GMT Connection: close Content-Length: 24490
2024-08-28 13:35:00 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-28 13:35:00 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:35:01 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-28 13:35:01 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=244865 Date: Wed, 28 Aug 2024 13:35:01 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-28 13:35:01 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49761	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 13:35:38 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=CyU75V7dEdNgGPP&MD=GouCRbga HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-28 13:35:38 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 33676f2f-28b7-420a-824e-5d21fe579577 MS-RequestId: 9d613e95-60c9-4db3-ada4-dcce81ee5d50 MS-CV: BLSafpflV0+D1UeK.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 28 Aug 2024 13:35:37 GMT Connection: close Content-Length: 30005
2024-08-28 13:35:38 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-28 13:35:38 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 4520, Parent PID: 3568

General

Target ID:	0
Start time:	09:34:50
Start date:	28/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\PaymentOnline.html"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 4928, Parent PID: 4520

General

Target ID:	2
Start time:	09:34:52
Start date:	28/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2008,i,10137650121201936708,14751184556041639990,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PaymentOnline.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 4520, Parent PID: 3568

General

Chronological Activities

Analysis Process: chrome.exePID: 4928, Parent PID: 4520

General

Chronological Activities

Disassembly

Windows Analysis Report
PaymentOnline.html