Edit tour

Windows Analysis Report
[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm

Overview

General Information

Sample name:	[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm
Analysis ID:	1665597
MD5:	16cde94f8e003392ff139f8b2afcd81b
SHA1:	e481d88d9d1fcd15b98c707096c41a3131ce67f0
SHA256:	e086e5815cdd21831d445881dd7459865bfa4386def0239731a16a56584dc3ed
Infos:

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Antivirus detection for URL or domain

Yara detected HtmlPhish45

HTML IFrame injector detected

HTML Script injector detected

HTML document with suspicious name

HTML file submission containing password form

HTML page contains obfuscated javascript

Detected TCP or UDP traffic on non-standard ports

HTML body contains password input but no form action

HTML page contains hidden javascript code

IP address seen in connection with other malware

Invalid 'forgot password' link found

Invalid 'sign-in options' or 'sign-up' link found

None HTTPS page querying sensitive user data (password, username or email)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,12153333222681571098,509529815984060871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2248 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6256 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
0.5.pages.csv	JoeSecurity_HtmlPhish_45	Yara detected HtmlPhish_45	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_45	Yara detected HtmlPhish_45	Joe Security
0.4.pages.csv	JoeSecurity_HtmlPhish_45	Yara detected HtmlPhish_45	Joe Security
0.3.pages.csv	JoeSecurity_HtmlPhish_45	Yara detected HtmlPhish_45	Joe Security

HTTP traffic detected: POST /app/godag.php HTTP/1.1Host: erfectries.jamesolflt.bondConnection: keep-aliveContent-Length: 56sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencoded; charset=UTF-8sec-ch-ua-mobile: ?0Origin: https://0j3grwfigpnmnimq.mybeautycare.pk:8443Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: chromecache_84.3.dr	String found in binary or memory: http://jquery.org/license
Source: chromecache_78.3.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: chromecache_84.3.dr	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: chromecache_84.3.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: chromecache_84.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: chromecache_84.3.dr	String found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: chromecache_84.3.dr	String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: chromecache_79.3.dr	String found in binary or memory: https://getbootstrap.com)
Source: chromecache_84.3.dr	String found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: chromecache_84.3.dr	String found in binary or memory: https://github.com/eslint/eslint/issues/6125
Source: chromecache_84.3.dr	String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: chromecache_84.3.dr	String found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: chromecache_84.3.dr	String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: chromecache_79.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_79.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: chromecache_84.3.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: chromecache_84.3.dr	String found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: chromecache_84.3.dr	String found in binary or memory: https://jquery.com/
Source: chromecache_84.3.dr	String found in binary or memory: https://jquery.org/license
Source: chromecache_84.3.dr	String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: chromecache_84.3.dr	String found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-48
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-54
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-57
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-59
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-61
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-64
Source: chromecache_84.3.dr	String found in binary or memory: https://promisesaplus.com/#point-75
Source: chromecache_84.3.dr	String found in binary or memory: https://sizzlejs.com/
Source: chromecache_84.3.dr	String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: chromecache_84.3.dr	String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 74.125.138.104:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.7.218.74:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.7.218.74:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 96.7.218.74:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.12:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.33.12:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.57.106:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.57.106:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.97.101.194:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.96.111.2:443 -> 192.168.2.4:49795 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: [Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm

Initial sample: detail

Source: classification engine

Classification label: mal84.phis.winHTM@24/30@26/14

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,12153333222681571098,509529815984060871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2248 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,12153333222681571098,509529815984060871,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2248 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm

HTTP Parser: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	0%	Avira URL Cloud	safe
https://erfectries.jamesolflt.bond/app/godag.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ooc-g2.tm-4.office.com	52.96.111.2	true	false	high
e329293.dscd.akamaiedge.net	96.7.218.74	true	false	high
sdfsdfsdfsdfsdf.stamba.com	172.67.200.32	true	false	unknown
code.jquery.com	151.101.194.137	true	false	high
cdnjs.cloudflare.com	104.17.24.14	true	false	high
s-part-0013.t-0009.t-msedge.net	13.107.246.41	true	false	high
maxcdn.bootstrapcdn.com	104.18.10.207	true	false	high
www.google.com	74.125.138.104	true	false	high
0j3grwfigpnmnimq.mybeautycare.pk	104.21.112.1	true	false	unknown
erfectries.jamesolflt.bond	104.21.57.106	true	false	high
LYH-efz.ms-acdc.office.com	52.97.101.194	true	false	high
_2025._https.sdfsdfsdfsdfsdf.stamba.com	unknown	unknown	false	unknown
outlook.office.com	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
_8443._https.0j3grwfigpnmnimq.mybeautycare.pk	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://code.jquery.com/jquery-3.2.1.slim.min.js	false		high
https://erfectries.jamesolflt.bond/app/godag.php	false	Avira URL Cloud: malware	unknown
https://outlook.office.com/	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	false		high
https://code.jquery.com/jquery-3.1.1.min.js	false		high
https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg	false		high
file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	true	Avira URL Cloud: safe	unknown
https://code.jquery.com/jquery-3.3.1.js	false		high
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	false		high
https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficcw2.css	false		high
https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg	false		high
https://outlook.office.com/mail/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://bugs.webkit.org/show_bug.cgi?id=136851	chromecache_84.3.dr	false	high
http://jquery.org/license	chromecache_84.3.dr	false	high
https://jsperf.com/thor-indexof-vs-for/5	chromecache_84.3.dr	false	high
https://bugs.jquery.com/ticket/12359	chromecache_84.3.dr	false	high
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	chromecache_84.3.dr	false	high
https://promisesaplus.com/#point-75	chromecache_84.3.dr	false	high
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a	chromecache_84.3.dr	false	high
https://drafts.csswg.org/cssom/#common-serializing-idioms	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled	chromecache_84.3.dr	false	high
https://bugs.webkit.org/show_bug.cgi?id=29084	chromecache_84.3.dr	false	high
https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace	chromecache_84.3.dr	false	high
https://github.com/eslint/eslint/issues/6125	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled	chromecache_84.3.dr	false	high
https://github.com/jquery/jquery/pull/557)	chromecache_84.3.dr	false	high
https://github.com/twbs/bootstrap/graphs/contributors)	chromecache_79.3.dr	false	high
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	chromecache_84.3.dr	false	high
https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon	chromecache_84.3.dr	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	chromecache_84.3.dr	false	high
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	chromecache_84.3.dr	false	high
http://opensource.org/licenses/MIT).	chromecache_78.3.dr	false	high
https://bugs.jquery.com/ticket/13378	chromecache_84.3.dr	false	high
https://promisesaplus.com/#point-64	chromecache_84.3.dr	false	high
https://promisesaplus.com/#point-61	chromecache_84.3.dr	false	high
https://drafts.csswg.org/cssom/#resolved-values	chromecache_84.3.dr	false	high
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	chromecache_84.3.dr	false	high
https://promisesaplus.com/#point-59	chromecache_84.3.dr	false	high
https://jsperf.com/getall-vs-sizzle/2	chromecache_84.3.dr	false	high
https://promisesaplus.com/#point-57	chromecache_84.3.dr	false	high
https://github.com/eslint/eslint/issues/3229	chromecache_84.3.dr	false	high
https://promisesaplus.com/#point-54	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/multipage/forms.html#category-listed	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled	chromecache_84.3.dr	false	high
https://developer.mozilla.org/en-US/docs/CSS/display	chromecache_84.3.dr	false	high
https://jquery.org/license	chromecache_84.3.dr	false	high
https://jquery.com/	chromecache_84.3.dr	false	high
https://getbootstrap.com)	chromecache_79.3.dr	false	high
https://bugs.webkit.org/show_bug.cgi?id=137337	chromecache_84.3.dr	false	high
https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled	chromecache_84.3.dr	false	high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_79.3.dr	false	high
https://promisesaplus.com/#point-48	chromecache_84.3.dr	false	high
https://github.com/jquery/sizzle/pull/225	chromecache_84.3.dr	false	high
https://sizzlejs.com/	chromecache_84.3.dr	false	high
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	chromecache_84.3.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
52.97.101.194	LYH-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.1.33.12	unknown	United States	20940	AKAMAI-ASN1EU	false
74.125.138.104	www.google.com	United States	15169	GOOGLEUS	false
104.18.10.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
96.7.218.74	e329293.dscd.akamaiedge.net	United States	20940	AKAMAI-ASN1EU	false
104.21.57.106	erfectries.jamesolflt.bond	United States	13335	CLOUDFLARENETUS	false
52.96.111.2	ooc-g2.tm-4.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.200.32	sdfsdfsdfsdfsdf.stamba.com	United States	13335	CLOUDFLARENETUS	false
104.21.112.1	0j3grwfigpnmnimq.mybeautycare.pk	United States	13335	CLOUDFLARENETUS	false
104.21.92.240	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.194.137	code.jquery.com	United States	54113	FASTLYUS	false

Private

IP
192.168.2.4
192.168.2.14

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1665597
Start date and time:	2025-04-15 17:28:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm
Detection:	MAL
Classification:	mal84.phis.winHTM@24/30@26/14
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.215.94, 64.233.177.139, 64.233.177.113, 64.233.177.101, 64.233.177.102, 64.233.177.100, 64.233.177.138, 142.251.15.84, 172.253.124.101, 172.253.124.100, 172.253.124.102, 172.253.124.138, 172.253.124.113, 172.253.124.139, 64.233.185.102, 64.233.185.113, 64.233.185.101, 64.233.185.138, 64.233.185.139, 64.233.185.100, 74.125.138.113, 74.125.138.101, 74.125.138.139, 74.125.138.100, 74.125.138.138, 74.125.138.102, 74.125.138.95, 142.250.9.95, 108.177.122.95, 142.250.105.95, 74.125.136.95, 64.233.185.95, 172.217.215.95, 74.125.21.95, 173.194.219.95, 172.253.124.95, 64.233.177.95, 173.194.219.102, 173.194.219.139, 173.194.219.101, 173.194.219.138, 173.194.219.100, 173.194.219.113, 74.125.21.102, 74.125.21.139, 74.125.21.100, 74.125.21.138, 74.125.21.101, 74.125.21.113, 173.194.219.94, 108.177.122.113, 108.177.122.101, 108.177.122.138, 108.177.122.139, 108.177.122.102, 108.177.122.100, 74.125.136.138, 74.125.136.101, 74.125.136.100, 74.125.136.139, 74.125.136.102, 74.
Excluded domains from analysis (whitelisted): logincdn.msauth.net, clients1.google.com, fs.microsoft.com, lgincdnmsftuswe2.azureedge.net, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, ajax.googleapis.com, aadcdnoriginwus2.azureedge.net, clientservices.googleapis.com, aadcdn.msauth.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, aadcdnoriginwus2.afd.azureedge.net, lgincdnmsftuswe2.afd.azureedge.net, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.17.24.14	Proforma.Invoice.Payment.$$.html	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js
	http://vtaurl.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/webfonts/fa-brands-400.woff2
	http://Voyages.CNTraveler.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.js
52.97.101.194	Ekim_Fatura_Turkcell.exe	Get hash	malicious	Unknown	Browse
23.1.33.12	https://sgoutreach.com/mt/lte?tid=10575540077886&lid=1&targetURL=https://gamma.app/docs/Camozzi-Automation-Ltd-3uaq1u1p10l4wlv?mode=present#card-fwba4n8sto7tjss	Get hash	malicious	HTMLPhisher	Browse
	Remittance_AdviceCopy.svg	Get hash	malicious	HTMLPhisher	Browse
	winchancho_combined.exe	Get hash	malicious	Unknown	Browse
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	http://cf-ipfs.com	Get hash	malicious	Unknown	Browse
	https://webex-install.com	Get hash	malicious	NetSupport RAT	Browse
	https://binaprecast-my.sharepoint.com/:f:/g/personal/maf_binareadymix_com/EtQwnFsihkNFvAMJsmvHcx0Bs5D77utYZ4PAxlNctboJVg?e=KLtKEO	Get hash	malicious	Unknown	Browse
	edge_x86_KB91412024.exe	Get hash	malicious	Unknown	Browse
104.18.10.207	http://desifoodcorner.wb4.xyz/	Get hash	malicious	Unknown	Browse	maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0
	SecuriteInfo.com.Exploit.Siggen3.17149.11632.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.10211.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.10211.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.6905.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.32268.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.6905.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.4633.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.21631.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.14541.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
code.jquery.com	original.eml	Get hash	malicious	Gabagool	Browse	151.101.2.137
	http://dqljfazx.manamahealth.com/rd/4SPyzj6305fzFg150badyxifgmp318RGPFBXSDASLOMKH3927WAAX41792T12?WYEZw8o1HZ0PSjUue-WkMbNTGsBj-NIobqD	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://tu.gaboras.com.tr	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://sgoutreach.com/mt/lte?tid=10575540077886&lid=1&targetURL=https://gamma.app/docs/Camozzi-Automation-Ltd-3uaq1u1p10l4wlv?mode=present#card-fwba4n8sto7tjss	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://dev.puremro.com/outbound?id=3&src=dir.page&url=https://kevor.nhsaportal.com#test@mydomain.com	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	51432d9c-9841-e335-3af4-cd8efc8e1781.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.130.137
	https://www.canva.com/design/DAGkrWrtDYc/rqRwWN8FmLdYxvJvAW4Uag/view?utm_content=DAGkrWrtDYc&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h5db7899ba7	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Remittance_AdviceCopy.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	copy.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	M365_Subscription_INV350777356477.html	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
e329293.dscd.akamaiedge.net	https://bjcgghbjchdgbfbghdgghbjchdgbfbggbfbg.sharefile.eu/share/view/sce3352de88ff40309b639a23a0046fb1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	96.7.218.74
	https://degrgd.dailyenglish.it.com/ODIWCBlb	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	96.7.218.8
	html.html	Get hash	malicious	HTMLPhisher	Browse	96.7.218.8
	https://url.de.m.mimecastprotect.com/s/woPuCPj0KAcKxPVkWHzf5cxVN9d?domain=campaign-statistics.com	Get hash	malicious	HTMLPhisher	Browse	23.203.48.16
	https://campaign-statistics.com/link_click/b4Z6O2-Vv6KGnO-3eiq15/3b7f6a01a70ab8eaf5ab4d4058e199c0	Get hash	malicious	HTMLPhisher	Browse	96.7.218.8
	https://sgoutreach.com/mt/lte?tid=10575540077886&lid=1&targetURL=https://gamma.app/docs/Camozzi-Automation-Ltd-3uaq1u1p10l4wlv?mode=present#card-fwba4n8sto7tjss	Get hash	malicious	HTMLPhisher	Browse	23.1.33.12
	https://www.canva.com/design/DAGkrWrtDYc/rqRwWN8FmLdYxvJvAW4Uag/view?utm_content=DAGkrWrtDYc&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h5db7899ba7	Get hash	malicious	HTMLPhisher	Browse	96.7.218.8
	Remittance_AdviceCopy.svg	Get hash	malicious	HTMLPhisher	Browse	96.7.218.74
	copy.svg	Get hash	malicious	HTMLPhisher	Browse	96.7.218.74
	https://mastressicoglass.my	Get hash	malicious	HTMLPhisher	Browse	96.7.218.8
ooc-g2.tm-4.office.com	https://1234567890123456.bayareasantaclausexperience.com:8443/impact?1234567890123456789012345=no@no.com	Get hash	malicious	HTMLPhisher	Browse	40.99.232.210
	Invoice Confirmation Subscription_2EZHMA9.htm	Get hash	malicious	HTMLPhisher	Browse	40.97.4.1
	Provider Document.html	Get hash	malicious	HTMLPhisher	Browse	52.96.242.18
	https://rsedis.online/?fvrjsszu=d51be19066e55b8a6064b9e0a3b0572f4b01f273b84fffd0d3341ca42e38f44ce5080783bb2651cabe6d2dea6cc950fb15bbe3875845e12a194a042ee82c07c2	Get hash	malicious	HTMLPhisher	Browse	52.96.111.2
	MDE_File_Sample_6967f7cc37c242205a7b3340c6732722fcd79584.zip	Get hash	malicious	HTMLPhisher	Browse	40.104.46.18
	http://support.delfi.com	Get hash	malicious	Unknown	Browse	52.96.239.178
	https://thetti-my.sharepoint.com/:f:/p/kellieblack/EtssBivICL5BgQEDfbETZP4BZsoHTOyxYMnSj46dgeiAiA?e=0t2fdm	Get hash	malicious	HTMLPhisher	Browse	40.97.190.18
	460138.pdf	Get hash	malicious	Unknown	Browse	52.96.109.226
	https://api.mixpanel.com/track?data=eyJldmVudCI6ICIkY2FtcGFpZ25fbGlua19jbGljayIsICJwcm9wZXJ0aWVzIjogeyJjYW1wYWlnbl9pZCI6IDUzNzgyMDQsICJkaXN0aW5jdF9pZCI6ICIxNjE4OTgiLCAibWVzc2FnZV9pZCI6IDEyMTE1MDgsICJ0b2tlbiI6ICI4NDhlOGVjYTBjYjdmNGRjZWE1ODljMWIxMTg2NmQ2YSIsICJ0eXBlIjogImVtYWlsIiwgInVybCI6ICJodHRwOi8vd3d3LmdvbGZnYW1lYm9vay5jb20ifX0=&redirect=https://tornillosind.com.mx/g63c/6195742747/Daversapartners/?nl=anVsaWUud3JhcHBAZGF2ZXJzYXBhcnRuZXJzLmNvbQ==	Get hash	malicious	Unknown	Browse	40.97.4.1
	http://lookerstudio%2e%67%6f%6f%67%6c%65%2e%63%6f%6d/s/tVpHSqKmotA	Get hash	malicious	HTMLPhisher	Browse	40.99.149.98

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	njo.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.96.1
	https://www.acceleratedusa.net	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.16.138.209
	PO 768733 - 6750.exe	Get hash	malicious	FormBook	Browse	104.21.22.160
	https://disppslyyy2.z13.web.core.windows.net/Wi012nh1delpSh012/index.html?Aniph=1-877-337-5457&_event=4fb5a3fdd9137d70fdfb00640f749955	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	original.eml	Get hash	malicious	Gabagool	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.184
	https://app.any.run/tasks/73c453d2-b4e8-4d61-94da-f398f08adabb	Get hash	malicious	Unknown	Browse	104.26.6.135
	PURCHASE OKK.vbs	Get hash	malicious	FormBook	Browse	104.22.69.199
	https://app.any.run/tasks/73c453d2-b4e8-4d61-94da-f398f08adabb	Get hash	malicious	Unknown	Browse	172.67.20.89
	Draft_Copy_00983232.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
CLOUDFLARENETUS	njo.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.96.1
	https://www.acceleratedusa.net	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.16.138.209
	PO 768733 - 6750.exe	Get hash	malicious	FormBook	Browse	104.21.22.160
	https://disppslyyy2.z13.web.core.windows.net/Wi012nh1delpSh012/index.html?Aniph=1-877-337-5457&_event=4fb5a3fdd9137d70fdfb00640f749955	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	original.eml	Get hash	malicious	Gabagool	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.184
	https://app.any.run/tasks/73c453d2-b4e8-4d61-94da-f398f08adabb	Get hash	malicious	Unknown	Browse	104.26.6.135
	PURCHASE OKK.vbs	Get hash	malicious	FormBook	Browse	104.22.69.199
	https://app.any.run/tasks/73c453d2-b4e8-4d61-94da-f398f08adabb	Get hash	malicious	Unknown	Browse	172.67.20.89
	Draft_Copy_00983232.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
MICROSOFT-CORP-MSN-AS-BLOCKUS	original.eml	Get hash	malicious	Gabagool	Browse	40.79.141.152
	nK8noQeiXl.exe	Get hash	malicious	HTMLPhisher, CryptOne, LummaC Stealer, Socks5Systemz, Tofsee	Browse	52.101.41.22
	https://compliancetracking.cfainstitute.org/amc-form?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImU5OGFkMTQzLWM0YzEtNDIwYi05OWQ4LTRlODM2ZmFiNjQ4NyIsIm5iZiI6MTc0NDY2NTI5OSwiZXhwIjoxNzQ1MjcwMDk5LCJpYXQiOjE3NDQ2NjUyOTksImlzcyI6Imh0dHBzOi8vc3RhbmRhcmRzY29tcGxpYW5jZXRyYWNraW5nYXBpLmNmYWluc3RpdHV0ZS5vcmcvIn0.l4SBJnn8huVpuJVgzl7oq2riSJ7NbE6i7-Sgdch3E3s	Get hash	malicious	Unknown	Browse	20.190.157.1
	Newsletter (276Ko).msg	Get hash	malicious	Unknown	Browse	20.189.173.23
	http://universityorthony.com	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://149.154.157.69/+CSCOE+/logon.html?q=BzFdUyAIO1l2Dy4KJSEyQRNXAiweJ0gIHjI%3D	Get hash	malicious	Unknown	Browse	150.171.27.10
	Fatura.pdf	Get hash	malicious	Unknown	Browse	52.109.16.3
	Complete via DocuSign_ #Dailycer_Doc. Signature required 4_14_2025.eml	Get hash	malicious	HTMLPhisher	Browse	52.123.129.14
	https://url.de.m.mimecastprotect.com/s/woPuCPj0KAcKxPVkWHzf5cxVN9d?domain=campaign-statistics.com	Get hash	malicious	HTMLPhisher	Browse	13.107.6.156
	xd.mips.elf	Get hash	malicious	Mirai	Browse	40.70.104.26
AKAMAI-ASN1EU	random.exe	Get hash	malicious	Credential Flusher	Browse	23.47.204.64
	original.eml	Get hash	malicious	Gabagool	Browse	23.55.253.31
	random.exe	Get hash	malicious	Credential Flusher	Browse	23.47.204.51
	https://compliancetracking.cfainstitute.org/amc-form?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImU5OGFkMTQzLWM0YzEtNDIwYi05OWQ4LTRlODM2ZmFiNjQ4NyIsIm5iZiI6MTc0NDY2NTI5OSwiZXhwIjoxNzQ1MjcwMDk5LCJpYXQiOjE3NDQ2NjUyOTksImlzcyI6Imh0dHBzOi8vc3RhbmRhcmRzY29tcGxpYW5jZXRyYWNraW5nYXBpLmNmYWluc3RpdHV0ZS5vcmcvIn0.l4SBJnn8huVpuJVgzl7oq2riSJ7NbE6i7-Sgdch3E3s	Get hash	malicious	Unknown	Browse	23.0.175.163
	https://bjcgghbjchdgbfbghdgghbjchdgbfbggbfbg.sharefile.eu/share/view/sce3352de88ff40309b639a23a0046fb1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	96.7.218.74
	https://degrgd.dailyenglish.it.com/ODIWCBlb	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	96.7.218.8
	https://149.154.157.69/+CSCOE+/logon.html?q=BzFdUyAIO1l2Dy4KJSEyQRNXAiweJ0gIHjI%3D	Get hash	malicious	Unknown	Browse	23.55.252.135
	Fatura.pdf	Get hash	malicious	Unknown	Browse	23.55.253.31
	html.html	Get hash	malicious	HTMLPhisher	Browse	104.104.244.200
	Complete via DocuSign_ #Dailycer_Doc. Signature required 4_14_2025.eml	Get hash	malicious	HTMLPhisher	Browse	23.48.246.139

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	3651
Entropy (8bit):	4.094801914706141
Encrypted:	false
SSDEEP:	96:wO4DZ+Stb/jY+eo4hAryAes9mBYYQgWLDm9:wToSBjlevudl9nO
MD5:	EE5C8D9FB6248C938FD0DC19370E90BD
SHA1:	D01A22720918B781338B5BBF9202B241A5F99EE4
SHA-256:	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
SHA-512:	C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE253D88B1B1FF60901F053113C5D7C1919852D58
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0,0,1,.419-.967,1.413,1.413,0,0,1,1-.39,1.392,1.392,0,0,1,1.02.4,1.3,1.3,0,0,1,.4.958,1.248,1.248,0,0,1-.414.953,1.428,1.428,0,0,1-1.01.385A1.4,1.4,0,0,1,47.25,6.6a1.261,1.261,0,0,1-.409-.948M49.41,18.4H47.081V8.507H49.41Zm7.064-1.694a3.213,3.213,0,0,0,1.145-.241,4.811,4.811,0,0,0,1.155-.635V18a4.665,4.665,0,0,1-1.266.481,6.886,6.886,0,0,1-1.554.164,4.707,4.707,0,0,1-4.918-4.908,5.641,5.641,0,0,1,1.4-3.932,5.055,5.055,0,0,1,3.955-1.545,5.414,5.414,0,0,1,1.324.168,4.431,4.431,0,0,1,1.063.39v2.233a4.763,4.763,0,0,0-1.1-.611,3.184,3.184,0,0,0-1.15-.217,2.919,2.919,0,0,0-2.223.9,3.37,3.37,0,0,0-.847,2.416,3.216,3.216,0,0,0,.813,2.338,2.936,2.936,0,0,0,2.209.837M65.4,8.343a2.952,2.952,0,0,1,.5.039,2.1,2.1,0,0,1,.375.1v2.358a2.04,2.04,0,0,0-.

Source: Yara match	File source: 0.5.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.4.pages.csv, type: HTML
Source: Yara match	File source: 0.3.pages.csv, type: HTML

Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: New script tag found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: New script tag found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: New script tag found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: New script tag found

Source: [Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No favicon

Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/[Certificate_Details]_[Microsoft_sarah]_Tue,%2015%20Apr%202025%2007_31_02%20-0700.htm	HTTP Parser: No <meta name="copyright".. found

Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 104.21.112.1:8443
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 104.21.92.240:2025

Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14
Source: Joe Sandbox View	IP Address: 23.1.33.12 23.1.33.12
Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficcw2.css HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.3.1.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveOrigin: https://0j3grwfigpnmnimq.mybeautycare.pk:8443sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.2.1.slim.min.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveOrigin: https://0j3grwfigpnmnimq.mybeautycare.pk:8443sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.1.1.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://0j3grwfigpnmnimq.mybeautycare.pk:8443sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://0j3grwfigpnmnimq.mybeautycare.pk:8443sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /app/godag.php HTTP/1.1Host: erfectries.jamesolflt.bondConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /app/godag.php HTTP/1.1Host: erfectries.jamesolflt.bondConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=7e55h6vlpql44h2jrfkbjsm29j
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mail/ HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /app/godag.php HTTP/1.1Host: erfectries.jamesolflt.bondConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=7e55h6vlpql44h2jrfkbjsm29j
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mail/ HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /app/godag.php HTTP/1.1Host: erfectries.jamesolflt.bondConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=7e55h6vlpql44h2jrfkbjsm29j
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mail/ HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /app/godag.php HTTP/1.1Host: erfectries.jamesolflt.bondConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=7e55h6vlpql44h2jrfkbjsm29j
Source: global traffic	HTTP traffic detected: GET /mail/ HTTP/1.1Host: outlook.office.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: https://0j3grwfigpnmnimq.mybeautycare.pk:8443/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mail/ HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 0j3grwfigpnmnimq.mybeautycare.pk
Source: global traffic	DNS traffic detected: DNS query: _8443._https.0j3grwfigpnmnimq.mybeautycare.pk
Source: global traffic	DNS traffic detected: DNS query: sdfsdfsdfsdfsdf.stamba.com
Source: global traffic	DNS traffic detected: DNS query: _2025._https.sdfsdfsdfsdfsdf.stamba.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: erfectries.jamesolflt.bond
Source: global traffic	DNS traffic detected: DNS query: outlook.office.com

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.922935692847741
TrID:	HyperText Markup Language (13003/1) 100.00%
File name:	[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm
File size:	5'981 bytes
MD5:	16cde94f8e003392ff139f8b2afcd81b
SHA1:	e481d88d9d1fcd15b98c707096c41a3131ce67f0
SHA256:	e086e5815cdd21831d445881dd7459865bfa4386def0239731a16a56584dc3ed
SHA512:	40fbb454f8996dab10d43bf7d26c32485aec12f43c688e46e311dee91e7aa7a6fa58a3fe6d04b384ed0e309a52a60b0cb57b187db5d7d18508794c03d45ff330
SSDEEP:	96:1h+xF/1CF/UzHecfV6iiiBiFa3g4aIoN31Mk3xiqiCiSiXp:KL1WUzHecgiiiBi0gEoN31x3xiqiCiSi
TLSH:	D7C14325364480115272E37C6FB36A0CF6B19117A701056A7DDC624F8FF668688D3FDC
File Content Preview:	..<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <meta name="description" content="418518715379">.. <meta name="robots" content="noindex, nofollow"> Pr

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
[Certificate_Details]_[Microsoft_sarah]_Tue, 15 Apr 2025 07_31_02 -0700.htm