Windows Analysis Report
AkimaPAYROLL 2023-03-20.htm

Overview

General Information

Sample Name:	AkimaPAYROLL 2023-03-20.htm
Analysis ID:	830996
MD5:	09ee47c5b227fcbf4b803a69ac0547c0
SHA1:	e450aa71a3101821d24f8d9a419e78c6e2356bf4
SHA256:	99a2d35ba109bd4317ae26c4c9557007b7186cc6bc94b926d340f4bf745026a3

Detection

HTMLPhisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Snort IDS alert for network traffic

HTML document with suspicious title

HTML document with suspicious name

Phishing site detected (based on image similarity)

Yara signature match

HTML body contains low number of good links

HTML title does not match URL

None HTTPS page querying sensitive user data (password, username or email)

No HTML title found

Submit button contains javascript call

Classification

Signatures

Phishing

Yara detected HtmlPhish10

Source: Yara match

File source: 76063.0.pages.csv, type: HTML

Phishing site detected (based on image similarity)

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD

HTML body contains low number of good links

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Number of links: 0
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Number of links: 0
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: Number of links: 1
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: Number of links: 1

HTML title does not match URL

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Title: Redirecting does not match URL
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Title: Redirecting does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: Has password / email / username input fields

No HTML title found

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: HTML title missing
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: HTML title missing
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: HTML title missing
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: HTML title missing

Submit button contains javascript call

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: On click: onMychecked()
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: On click: onMychecked()

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: chrome.exe

Memory has grown: Private usage: 5MB later: 24MB

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.2:50628 -> 1.1.1.1:53

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156

System Summary

HTML document with suspicious title

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm

Tab title: Sign in to your account

HTML document with suspicious name

Source: Name includes: AkimaPAYROLL 2023-03-20.htm

Initial sample: payroll

Yara signature match

Source: 76063.0.pages.csv, type: HTML

Matched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io

Source: classification engine

Classification label: mal68.phis.winHTM@31/44@7/176

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\eyup\Desktop\AkimaPAYROLL 2023-03-20.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1804,i,3339978135350707528,11391006254209080239,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1804,i,3339978135350707528,11391006254209080239,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.195	unknown	United States	15169	GOOGLEUS	false
13.107.6.156	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.67	unknown	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
20.224.254.73	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.190.159.73	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.110	clients.l.google.com	United States	15169	GOOGLEUS	false
52.109.88.191	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.202	unknown	United States	15169	GOOGLEUS	false
69.16.175.42	unknown	United States	20446	HIGHWINDS3US	false
20.190.160.14	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.200	unknown	European Union	16625	AKAMAI-ASUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.141	accounts.google.com	United States	15169	GOOGLEUS	false
13.107.237.45	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
152.199.23.37	cs1100.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
142.250.184.228	unknown	United States	15169	GOOGLEUS	false
8.39.235.63	l0u4.tk	United States	397423	TIER-NETUS	false

Private

IP
192.168.2.1
192.168.2.3
127.0.0.1

Contacted Domains

Name	IP	Active
l0u4.tk	8.39.235.63	true
cs1100.wpc.omegacdn.net	152.199.23.37	true
accounts.google.com	142.250.185.141	true
www.google.com	172.217.18.100	true
clients.l.google.com	142.250.185.110	true
clients2.google.com	unknown	unknown
code.jquery.com	unknown	unknown
aadcdn.msftauth.net	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	false	high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	false	high
file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	true	low

Name	Type	MD5	SHA1	SHA256
C:\Users\eyup\Documents\Outlook Files\Outlook Data File - NoEmail.pst	data	6BD63A3846959F3C0CB44819E57D0DCA	AF7B8AFDA9946DA28E1095E70D72479FDE9E467B	2CF08F8D294FEEE880AD49AE3CFC391FB6B3437F49E6221C17F85C8B9CE2199B
Chrome Cache Entry: 136	ASCII text, with no line terminators	FB5091BD594CF7D209A7FAC6528A0344	8C4F8863DA36CA8E3F0467D6C4E167987741E812	0AD7D750945C04134391827A3777A2DC6B0CAEAF906D3B46FFD3E85C54F24ED0
Chrome Cache Entry: 137	HTML document, ASCII text, with very long lines (2345), with CRLF line terminators	E86EF8B6111E5FB1D1665BCDC90888C9	994BF7651CB967CD9053056AF2D69ACB74DB7F29	3410242720DE50B090D07A23AEE2DAD879B31D36F2615732962EC4CFA8A9D458
Chrome Cache Entry: 139	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651	9F368BC4580FED907775F31C6B26D6CF	E393A40B3E337F43057EEE3DE189F197AB056451	7ECBBA946C099539C3D9C03F4B6804958900E5B90D48336EEA7E5A2ED050FA36
Chrome Cache Entry: 141	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113577	957CCAAEC3BBDC8FD4129E2412EDE20C	2528E3E157B4C37E4F4979878822B523AAD7ABD9	BE496ADE64AD854B0B379A96D5FB7CD96BF7167233021128CB97CCF150197B35
Chrome Cache Entry: 142	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
Chrome Cache Entry: 143	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 347498	81B1118B15E614E071B2C34D06920874	FBE82CFE4F9BDEA8DDBC5B31110DF7A8963F6F5A	86CD5F262B23015F9C849E725F408ACF89D4606FC1F52C48AD61D71C8CBD5BFA
Chrome Cache Entry: 144	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864	0E176276362B94279A4492511BFCBD98	389FE6B51F62254BB98939896B8C89EBEFFE2A02	9A2C174AE45CAC057822844211156A5ED293E65C5F69E1D211A7206472C5C80C
Chrome Cache Entry: 145	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 47818	1631C39AF69D99BFD1AEA7ACB8FBC4FA	7613A14FD31A598E3E2365BC8E529DAAC6FD7A4C	E7DCAF045B59E7C04E1DF2459273E735FAF28E4F6F6FF7741691CE1ACB857DD5
Chrome Cache Entry: 146	SVG Scalable Vector Graphics image	EE5C8D9FB6248C938FD0DC19370E90BD	D01A22720918B781338B5BBF9202B241A5F99EE4	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
Chrome Cache Entry: 148	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 854156	ECC18A7CA743FF778D8DD9C83ABD20B0	AD1FC250E4DDD0EFCADC6D1A30B8A0CDB61B3F1C	7978A2A6F9372E8373723DC281A2684B463F09278F22D6D561A4D9F9D83C67C1
Chrome Cache Entry: 149	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 110674	E7CA24DC3A47160C9AF0D45E48F1F911	C689E79B895A18C9F1334D6EFF56744AE22739B6	ABB85C399C274734C689156024267ECE39C2B96D82C752065C9A649A8ABB4C42
Chrome Cache Entry: 151	SVG Scalable Vector Graphics image	BC3D32A696895F78C19DF6C717586A5D	9191CB156A30A3ED79C44C0A16C95159E8FF689D	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
Chrome Cache Entry: 152	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1266361	39588FAC6FCE9FFFEB7900439B502D7A	5145EFD9526ED189262ED1CF0A486CAA267BAD0F	4FBD69CC175D26C02CB774BEF0EED18C377F9ECEC11398FB5FDC47EDFE82FEDE
Chrome Cache Entry: 155	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592	4761405717E938D7E7400BB15715DB1E	76FED7C229D353A27DB3257F5927C1EAF0AB8DE9	F7ED91A1DAB5BB2802A7A3B3890DF4777588CCBE04903260FBA83E6E64C90DDF
Chrome Cache Entry: 157	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 412391	BB47875EB7ACF3BCA0526431119B35B2	8412901F917EAA99887A439E2AFE3B0FAD4F4BC8	0C452C04F71F1AC96C5BACEB10E9E6A60FBFD5B97E18C5CCFB40D7F6661A9BC7
Chrome Cache Entry: 158	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 159	ASCII text, with very long lines (32030)	E071ABDA8FE61194711CFC2AB99FE104	F647A6D37DC4CA055CED3CF64BBC1F490070ACBA	85556761A8800D14CED8FCD41A6B8B26BF012D44A318866C0D81A62092EFD9BF
Chrome Cache Entry: 160	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 109863	039CD406CB780BD9DAE8410D38CE69CB	5DEFD37654F47F6DF5E104D3A34BCB3C1E307A1D	16C6585A09A7E87B4CB30718E8BDA247C78FFBE590A8043FFE8ECC486270D2D4

Phishing

Yara detected HtmlPhish10

Source: Yara match

File source: 76063.0.pages.csv, type: HTML

Phishing site detected (based on image similarity)

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	Matcher: Found strong image similarity, brand: Microsoft image: 76063.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD

HTML body contains low number of good links

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Number of links: 0
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Number of links: 0
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: Number of links: 1
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: Number of links: 1

HTML title does not match URL

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Title: Redirecting does not match URL
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: Title: Redirecting does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: Has password / email / username input fields

No HTML title found

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: HTML title missing
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: HTML title missing
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: HTML title missing
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: HTML title missing

Submit button contains javascript call

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: On click: onMychecked()
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: On click: onMychecked()

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="author".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000006-0000-0ff1-ce00-000000000000&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DyTv8auMLORdIcWeO11-2rveQJRH_dYo9RISyrj0a1sCP5C-YZOFmewUrp_ro-Kr7aBo_hYN_nbj6VXY8rQWMD9NGkN7i4QkVe6mHpNHef8Uvad_iTMMkpEY4xjmLQ8-RA0VMG1rw3ZXloOzjsCfEww&response_mode=form_post&nonce=638149470490347218.YTQ1NWI5MzQtNGYyMy00MmFhLWI5ODMtZTQ2MTkyMjI0NzAyYmRiNzFmZTgtODdlZi00NmFiLWI1OTItNWFlYzg1YTM0MDBk&redirect_uri=https%3A%2F%2Fportal.office.com%2Flanding&ui_locales=en-US&mkt=en-US&client-request-id=a8e8bdec-70fe-4013-911c-97f82fdc6d64&x-client-SKU=ID_NET472&x-client-ver=6.16.0.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: chrome.exe

Memory has grown: Private usage: 5MB later: 24MB

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.2:50628 -> 1.1.1.1:53

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.67
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.6.156

System Summary

HTML document with suspicious title

Source: file:///C:/Users/eyup/Desktop/AkimaPAYROLL%202023-03-20.htm

Tab title: Sign in to your account

HTML document with suspicious name

Source: Name includes: AkimaPAYROLL 2023-03-20.htm

Initial sample: payroll

Yara signature match

Source: 76063.0.pages.csv, type: HTML

Source: classification engine

Classification label: mal68.phis.winHTM@31/44@7/176

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\eyup\Desktop\AkimaPAYROLL 2023-03-20.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1804,i,3339978135350707528,11391006254209080239,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1804,i,3339978135350707528,11391006254209080239,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

ID:	830996
Product:	CloudBasic
Start time:	23:08:36
Start date:	20.03.2023
Sample:	AkimaPAYROLL 2023-03-20.htm
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Architecture:	WINDOWS
MD5:	09ee47c5b227fcbf4b803a69ac0547c0
SHA1:	e450aa71a3101821d24f8d9a419e78c6e2356bf4
SHA256:	99a2d35ba109bd4317ae26c4c9557007b7186cc6bc94b926d340f4bf745026a3

Windows Analysis Report
AkimaPAYROLL 2023-03-20.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report AkimaPAYROLL 2023-03-20.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
AkimaPAYROLL 2023-03-20.htm