Windows Analysis Report
Invoice#0036473 .xlsx

Overview

General Information

Sample Name: Invoice#0036473 .xlsx
Analysis ID: 655755
MD5: c93e6dcf32928e1da7346b6ca3a1dc85
SHA1: b90d66412b4d6669a175fd30e32bbe44428bd245
SHA256: 3ffe69c9e2e2f8a350f7d2ff6e64acf8cffbf390489807b81cf8e4eec87d4047
Infos:

Detection

HTMLPhisher
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
Antivirus detection for URL or domain
Yara detected HtmlPhish7
Multi AV Scanner detection for domain / URL
Document exploit detected (process start blacklist hit)
Potential document exploit detected (unknown TCP traffic)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTML body contains low number of good links
Potential document exploit detected (performs HTTP gets)
Suspicious form URL found
IP address seen in connection with other malware
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection

barindex
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html SlashNext: Label: Credential Stealing type: Phishing & Social Engineering
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/images/office3651.png Avira URL Cloud: Label: phishing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/images/gmail.png Avira URL Cloud: Label: phishing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/css/hover.css Avira URL Cloud: Label: phishing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html2 Avira URL Cloud: Label: phishing
Source: eyecandylashcompany.com Virustotal: Detection: 6% Perma Link
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html Virustotal: Detection: 20% Perma Link

Phishing

barindex
Source: Yara match File source: 67505.0.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, type: DROPPED
Source: Yara match File source: 67505.0.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\index[1].htm, type: DROPPED
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: HTML title missing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: HTML title missing
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Number of links: 0
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Number of links: 0
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Form action: azn.php
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: Form action: azn.php
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="author".. found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="author".. found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="copyright".. found
Source: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.16.161:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.64.150.12:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.22:49220 version: TLS 1.2

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 142.251.36.205:443
Source: global traffic DNS query: name: clients2.google.com
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 142.251.36.205:443
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View IP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox View IP Address: 104.18.11.207 104.18.11.207
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49232 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 14:21:58 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffDate: Fri, 01 Jul 2022 14:22:00 GMTServer: fifeCache-Control: privateX-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffDate: Fri, 01 Jul 2022 14:22:22 GMTServer: fifeCache-Control: privateX-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 14:22:22 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Jul 2022 14:22:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: index[1].htm.0.dr String found in binary or memory: http://www.gmail.com
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.2.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://adservice.google.com
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://ajax.googleapis.com
Source: index[1].htm.0.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://apis.google.com
Source: index[1].htm.0.dr String found in binary or memory: https://cdn.iconscout.com/icon/free/png-512/microsoft-sharepoint-3-599372.png
Source: index[1].htm.0.dr String found in binary or memory: https://cdn.pixabay.com/photo/2018/03/10/12/00/paper-3213924_1280.jpg
Source: index[1].htm.0.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json.2.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: index[1].htm.0.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: index[1].htm.0.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: index[1].htm.0.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://consent.google.com
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://content-autofill.googleapis.com
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com
Source: History Provider Cache.2.dr String found in binary or memory: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html2
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://fonts.googleapis.com
Source: index[1].htm.0.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: craw_window.js.2.dr, craw_background.js.2.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: index[1].htm.0.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://lh3.googleusercontent.com
Source: index[1].htm.0.dr String found in binary or memory: https://lh3.googleusercontent.com/proxy/bATQDWurvLlY3z2KTwUlb1gMxwLZoCk7CvqzrLqN1JioLU4nXkElVj-rMrvN
Source: index[1].htm.0.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: index[1].htm.0.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://ogs.google.com
Source: craw_window.js.2.dr, manifest.json.2.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.2.dr, manifest.json.2.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: index[1].htm.0.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://update.googleapis.com
Source: craw_window.js.2.dr, craw_background.js.2.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://www.google.com
Source: manifest.json.2.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.2.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.2.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.2.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.2.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.2.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: craw_window.js.2.dr, craw_background.js.2.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.2.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.2.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.2.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.2.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.2.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: ef55ff91-ca42-48c2-8615-538469a3af8b.tmp.3.dr String found in binary or memory: https://www.gstatic.com
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B3464B5.png Jump to behavior
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/index.html HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/css/hover.css HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/4.0.0/css/bootstrap.min.css HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://eyecandylashcompany.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/office3651.png HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://eyecandylashcompany.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://eyecandylashcompany.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /icon/free/png-512/microsoft-sharepoint-3-599372.png HTTP/1.1Host: cdn.iconscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /photo/2018/03/10/12/00/paper-3213924_1280.jpg HTTP/1.1Host: cdn.pixabay.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /proxy/bATQDWurvLlY3z2KTwUlb1gMxwLZoCk7CvqzrLqN1JioLU4nXkElVj-rMrvNZjuUXh3c1WhNOGX5_Cg18Wmltm3vvna-uZDqOkUISXU4XOYsUyt-4962tq2u0WiI358gef4ewWcVp0PA6YiTnICV2Cg7wLzdb0DlXw HTTP/1.1Host: lh3.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/index.html HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: eyecandylashcompany.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /proxy/bATQDWurvLlY3z2KTwUlb1gMxwLZoCk7CvqzrLqN1JioLU4nXkElVj-rMrvNZjuUXh3c1WhNOGX5_Cg18Wmltm3vvna-uZDqOkUISXU4XOYsUyt-4962tq2u0WiI358gef4ewWcVp0PA6YiTnICV2Cg7wLzdb0DlXw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: lh3.googleusercontent.com
Source: global traffic HTTP traffic detected: GET /photo/2018/03/10/12/00/paper-3213924_1280.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: cdn.pixabay.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/office3651.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: eyecandylashcompany.com
Source: global traffic HTTP traffic detected: GET /payment/frontend_paper_lantern/images/gmail.png HTTP/1.1Host: eyecandylashcompany.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.22:49216 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.16.161:443 -> 192.168.2.22:49217 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.64.150.12:443 -> 192.168.2.22:49222 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.22:49219 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.49.244.155:443 -> 192.168.2.22:49220 version: TLS 1.2
Source: ~DF600634D9D62A1024.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 24CF.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1868451693323365442,12850068766914001285,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1468 /prefetch:8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=980,3874853447565799984,15077386689876222862,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1380 /prefetch:8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://eyecandylashcompany.com/payment/frontend_paper_lantern/index.html Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1868451693323365442,12850068766914001285,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1468 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=980,3874853447565799984,15077386689876222862,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1380 /prefetch:8 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Invoice#0036473 .xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR7676.tmp Jump to behavior
Source: classification engine Classification label: mal76.phis.expl.winXLSX@32/126@17/13
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Invoice#0036473 .xlsx Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~DF600634D9D62A1024.TMP.0.dr Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs