Loading ...

Play interactive tourEdit tour

Analysis Report http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/

Overview

General Information

Sample URL:http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/
Analysis ID:341762

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Phishing site detected (based on logo template match)
Form action URLs do not match main URL
Found iframes
HTML body contains low number of good links
HTML title does not match URL
Invalid links found
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found
Unusual large HTML page

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 5908 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3560 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5908 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Phishing site detected (based on logo template match)Show sources
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/Matcher: Template: google matched
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Form action: http://0.0.0.0/post.php azure 0
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Form action: http://0.0.0.0/post.php azure 0
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-190951695&timestamp=1611113064220
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=150297626&timestamp=1611113085267
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: /_/bscframe
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-190951695&timestamp=1611113064220
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=150297626&timestamp=1611113085267
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Iframe src: /_/bscframe
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Number of links: 0
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Number of links: 0
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Title: Sign in - Google Accounts does not match URL
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Title: Sign in - Google Accounts does not match URL
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Invalid link: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/SignUp-service=lso&continue=https_%7C%7Caccounts.google.com%7Co%7Coauth2%7Cauth_zt=ChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ_E2_88_99APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX.html
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Invalid link: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/TOS-loc=US&hl=en.html
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Has password / email / username input fields
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Has password / email / username input fields
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Form action: http://0.0.0.0/post.php
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: Form action: http://0.0.0.0/post.php
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Total size: 1586286
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: Total size: 1586286
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="author".. found
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: No <meta name="author".. found
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="author".. found
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: No <meta name="copyright".. found
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="copyright".. found
Source: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/HTTP Parser: No <meta name="copyright".. found
Source: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Fzt%3DChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%25E2%2588%2599APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX&flowName=GlifWebSignIn&flowEntry=ServiceLoginHTTP Parser: No <meta name="copyright".. found

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: so[1].htm.2.drString found in binary or memory: ,[36,"YouTube","0 -2829px","https://www.youtube.com/?gl\u003dGB\u0026tab\u003du1","_blank",false,null,""] equals www.youtube.com (Youtube)
Source: www-widgetapi[1].js.2.drString found in binary or memory: ;var zh=new Set,Ah=0,Bh=0,Ch=["PhantomJS","Googlebot","TO STOP THIS SECURITY SCAN go/scan"];function Y(a,b,c){this.o=this.h=this.i=null;this.m=Ca(this);this.j=0;this.u=!1;this.s=[];this.l=null;this.F=c;this.H={};c=document;if(a="string"===typeof a?c.getElementById(a):a)if(c="iframe"==a.tagName.toLowerCase(),b.host||(b.host=c?Pb(a.src):"https://www.youtube.com"),this.i=new bf(b),c||(b=Dh(this,a),this.o=a,(c=a.parentNode)&&c.replaceChild(b,a),a=b),this.h=a,this.h.id||(this.h.id="widget"+Ca(this.h)),We[this.h.id]=this,window.postMessage){this.l=new O;Eh(this);b=Q(this.i,"events");for(var d in b)b.hasOwnProperty(d)&& equals www.youtube.com (Youtube)
Source: accounts[1].htm0.2.drString found in binary or memory: </script> <script nonce="iNNFkoUv5F+aQxJjOB5g">window['sc_initLightbox']();</script> <script data-id="video" nonce="iNNFkoUv5F+aQxJjOB5g">var Maa=Dc(qc(rc("//www.youtube.com/player_api"))),qO=[],rO=!1;function sO(){if(!rO){window.onYouTubeIframeAPIReady=Naa;var a=oh("SCRIPT");ce(a,Maa);document.head.appendChild(a);rO=!0}} equals www.youtube.com (Youtube)
Source: accounts[1].htm0.2.drString found in binary or memory: b.open("GET","https://www.googleapis.com/youtube/v3/videos?part=snippet%2C+id&key=AIzaSyD-4tE5aKFZYIS_IrfpCDRsgQZbv5VCJZM&id="+a.ka);b.send()} equals www.youtube.com (Youtube)
Source: accounts[1].htm0.2.drString found in binary or memory: function Iea(a){if(Eg())2==sg().rs?window.YT&&window.YT.Player?SW(a,a.o):(qO.push(function(f){SW(this,f)}.bind(a,a.o)),sO()):Ig("//www.youtube.com/embed/"+a.ka+"/?rel=0&cc_load_policy=1&autoplay=1&hl="+window.sc_pageModel.lang); equals www.youtube.com (Youtube)
Source: player_api[1].js.2.drString found in binary or memory: var scriptUrl = 'https:\/\/www.youtube.com\/s\/player\/9f996d3e\/www-widgetapi.vflset\/www-widgetapi.js';if(!window["YT"])var YT={loading:0,loaded:0};if(!window["YTConfig"])var YTConfig={"host":"https://www.youtube.com"}; equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: accounts.youtube.com
Source: KT0S08Y7.htm.2.drString found in binary or memory: http://0.0.0.0/ServiceLoginAuth
Source: KT0S08Y7.htm.2.drString found in binary or memory: http://0.0.0.0/post.php
Source: operatordeferred_bin_base__en[1].js.2.dr, cb=gapi[1].js0.2.drString found in binary or memory: http://csi.gstatic.com/csi
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-537-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/SignUp-se
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-537-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/TOS-loc=U
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-537.com/accounts/?hl=en#topic=3382296Root
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-537.com/accounts/?hl=en45f939.eastus.cloudapp.azure.com/TOS-loc=U
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/2Sign
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/Root
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/SignUp-service=lso&cont
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/TOS-loc=US&hl=en.html
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/TOS-loc=US&hl=en.html$H
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: http://router-53793385-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/TOS-loc=US&hl=en.htmlin
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-537e.com/RecoverAccount?service=lso&continue=https://accounts.googl
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://router-537e.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A
Source: RecoverAccount[1].htm.2.dr, operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: http://www.broofa.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: http://www.google.com/help/chatsupport/loading.html
Source: KT0S08Y7.htm.2.drString found in binary or memory: http://www.google.com/support/accounts?hl=en
Source: accounts[1].htm0.2.drString found in binary or memory: http://www.google.com/support/websearch/bin/answer.py?hl=
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://accounts.googl
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://accounts.googl-219d-4888-98f9-123aca45f939.eastus.cloudapp.azure.com/
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://accounts.google.com/
Source: m=sy1a,sy1b,sy1c,sy1e,sy1f,sy2z,pwd_view[1].js.2.drString found in binary or memory: https://accounts.google.com/Logout
Source: KT0S08Y7.htm.2.dr, ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.google.com/RecoverAccount?service=lso&continue=https://accounts.google.com/o/oauth2
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://accounts.google.com/TOS?loc=
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://accounts.google.com/TOS?loc=GB&amp;hl=en-GB&amp;privacy=true
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.google.com/_/bscframe
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: KT0S08Y7.htm.2.dr, ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth?zt=ChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQ
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://accounts.google.com/o/oauth2/iframe
Source: cb=gapi[2].js.2.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fsupport.google.com&jsh=m%
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://accounts.google.com/signin/recovery?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://accounts.google.com/signin/v2/recoveryideRoot
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.google.com/signin/v2/recoveryidentifier?service=lso&continue=https%3A%2F%2Faccounts
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://accounts.google.com/signin/v2/recoveryideqD7Hbfz38w8kxnaNouLcRiD3YTjX.html
Source: RecoverAccount[1].htm.2.dr, KT0S08Y7.htm.2.drString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=-1909
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=15029
Source: so[1].htm.2.drString found in binary or memory: https://ads.google.com/home/?subid
Source: analytics[1].js.2.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: googleapis.proxy[1].js.2.dr, rs=AA2YrTsHV_6QDwsxjHdOvXnpgoeLwIRQsg[1].js.2.dr, cb=gapi[2].js.2.dr, so[1].htm.2.drString found in binary or memory: https://apis.google.com
Source: so[1].htm.2.drString found in binary or memory: https://apis.google.com/js/api.js
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://apis.google.com/js/base.js
Source: lazy.min[1].js.2.drString found in binary or memory: https://apis.google.com/js/client.js
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://apis.google.com/js/client.js?onload=%
Source: proxy[2].htm.2.drString found in binary or memory: https://apis.google.com/js/googleapis.proxy.js?onload=startup
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: postmessageRelay[1].htm.2.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=init
Source: so[1].htm.2.drString found in binary or memory: https://artsandculture.google.com/?hl
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://autopush-moltron-pa-googleapis.sandbox.google.com
Source: so[1].htm.2.drString found in binary or memory: https://books.google.co.uk/?hl
Source: so[1].htm.2.drString found in binary or memory: https://calendar.google.com/calendar?tab
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://casespartner-pa.clients6.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://casespartner-pa.youtube.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://client-channel.google.com/client-channel/client
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://client-channel.youtube.com/client-channel/client
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://clients4.google.com/invalidation/lcs/client
Source: lazy.min[1].js.2.dr, accounts[1].htm0.2.dr, cb=gapi[2].js.2.dr, cb=gapi[1].js0.2.drString found in binary or memory: https://clients6.google.com
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://console.developers.google.com/
Source: so[1].htm.2.drString found in binary or memory: https://contacts.google.com/?hl
Source: operatordeferred_bin_base__en[1].js.2.dr, lazy.min[1].js.2.dr, accounts[1].htm0.2.drString found in binary or memory: https://content-googleapis-staging.sandbox.google.com
Source: operatordeferred_bin_base__en[1].js.2.dr, lazy.min[1].js.2.dr, accounts[1].htm0.2.drString found in binary or memory: https://content-googleapis-test.sandbox.google.com
Source: cb=gapi[2].js.2.dr, cb=gapi[1].js0.2.drString found in binary or memory: https://content.googleapis.com
Source: operatordeferred_bin_base__en[1].js.2.dr, cb=gapi[1].js0.2.drString found in binary or memory: https://csi.gstatic.com/csi
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://dev-externalultron-pa-googleapis.sandbox.google.com
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://developers.google.com/
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://developers.google.com/api-client-library/javascript/reference/referencedocs
Source: www-widgetapi[1].js.2.drString found in binary or memory: https://developers.google.com/youtube/iframe_api_reference#Events
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://developers.googleblog.com/2018/03/discontinuing-support-for-json-rpc-and.html
Source: so[1].htm.2.drString found in binary or memory: https://docs.google.com/document/?usp
Source: so[1].htm.2.drString found in binary or memory: https://docs.google.com/presentation/?usp
Source: so[1].htm.2.drString found in binary or memory: https://docs.google.com/spreadsheets/?usp
Source: cb=gapi[2].js.2.drString found in binary or memory: https://domains.google.com/suggest/flow
Source: so[1].htm.2.drString found in binary or memory: https://drive.google.com/?tab
Source: so[1].htm.2.drString found in binary or memory: https://duo.google.com/?usp
Source: so[1].htm.2.drString found in binary or memory: https://earth.google.com/web/
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://externalultron-pa.clients6.google.com
Source: css[1].css0.2.drString found in binary or memory: https://fonts.google.com/license/googlerestricted
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: accounts[1].htm0.2.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff)format(
Source: accounts[1].htm0.2.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff)format(
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem8YaGs126MiZpBA-UFVZ0d.woff)
Source: css[1].css0.2.drString found in binary or memory: https://fonts.gstatic.com/s/productsans/v12/pxiDypQkot1TnFhsFMOfGShVF9eI.woff)
Source: accounts[1].htm0.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff)format(
Source: accounts[1].htm0.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff)format(
Source: accounts[1].htm0.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff)format(
Source: css[1].css0.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc-.woff)
Source: css[1].css0.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://g.co/recover
Source: lazy.min[1].js.2.drString found in binary or memory: https://gstatic.com/support/content/resources/
Source: lazy.min[1].js.2.drString found in binary or memory: https://gstatic.com/support/content/resources/%
Source: so[1].htm.2.drString found in binary or memory: https://hangouts.google.com/
Source: so[1].htm.2.drString found in binary or memory: https://jamboard.google.com/?usp
Source: so[1].htm.2.drString found in binary or memory: https://keep.google.com
Source: accounts[1].htm0.2.drString found in binary or memory: https://lh4.ggpht.com/WnIr0x3yhEpMTqI4DCrI_ZOc9vdK_yV0WPig_suRjHQCv4B-2CmQoQu3nE-Eo7_MZ-yZQbq30w=w72
Source: so[1].htm.2.drString found in binary or memory: https://mail.google.com/mail/?tab
Source: so[1].htm.2.drString found in binary or memory: https://maps.google.co.uk/maps?hl
Source: so[1].htm.2.drString found in binary or memory: https://meet.google.com?hs
Source: so[1].htm.2.drString found in binary or memory: https://myaccount.google.com/?utm_source
Source: so[1].htm.2.drString found in binary or memory: https://news.google.com/?tab
Source: so[1].htm.2.drString found in binary or memory: https://ogs.google.com/
Source: so[1].htm.2.drString found in binary or memory: https://ogs.google.com/widget/app/so
Source: so[1].htm.2.drString found in binary or memory: https://photos.google.com/?tab
Source: so[1].htm.2.drString found in binary or memory: https://play.google.com/?hl
Source: accounts[1].htm0.2.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: cb=gapi[2].js.2.drString found in binary or memory: https://plus.google.com
Source: cb=gapi[2].js.2.drString found in binary or memory: https://plus.googleapis.com
Source: so[1].htm.2.drString found in binary or memory: https://podcasts.google.com/
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://punctual-dev.corp.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://realtimesupport.clients6.google.com
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://realtimesupport.clients6.google.com/static/proxy.html?usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-sta
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://realtimesupport.youtube.com
Source: lazy.min[1].js.2.dr, accounts[1].htm0.2.drString found in binary or memory: https://scone-pa.clients6.google.com
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://scone-pa.clients6.google.com/static/proxy.html?usegapi=1&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://signaler-pa.clients6.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://signaler-pa.googleapis.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://signaler-pa.youtube.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://signaler-staging.sandbox.google.com
Source: so[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidprofileupgrade_all_set.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_accounts.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_familylink.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_privacy.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_two_bikes.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: postmessageRelay[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/o/2801455510-postmessagerelay.js
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/account.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/family.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/personal.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/privacy.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/safe.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify-email.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/signup/glif/verify.svg
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.en_GB.8oRFEnI-z7E.O/am=KwAAdmADmPAAQ
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/avatar_2x.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/logo_2x.png
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/logo_strip_2x.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: so[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/gb/images/p1_cfd8cf40.png
Source: so[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/gb/images/p2_136ed2e0.png
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://ssl.gstatic.com/gb/js/
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://ssl.gstatic.com/images/icons/ui/common/universal_language_settings-21.png
Source: lazy.min[1].js.2.drString found in binary or memory: https://ssl.gstatic.com/inproduct_help/guidedhelp/guide_inproduct.js
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://ssl.gstatic.com/support/realtime
Source: accounts[1].htm0.2.drString found in binary or memory: https://ssl.gstatic.com/support/realtime/operator/
Source: operatorParams[1].json.2.drString found in binary or memory: https://ssl.gstatic.com/support/realtime/operator/1610960497650/operatordeferred_bin_base.js
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/ui/v1/activityindicator/loading.svg
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://ssl.gstatic.com/ui/v1/icons/common/x_8px.png
Source: KT0S08Y7.htm.2.drString found in binary or memory: https://ssl.gstatic.com/ui/v1/menu/checkmark.png
Source: so[1].htm.2.drString found in binary or memory: https://stadia.google.com/
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://staging-casespartner-pa-googleapis.sandbox.youtube.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://staging-casespartner-pa.sandbox.googleapis.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://staging-realtimesupport-googleapis.sandbox.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://staging-realtimesupport-googleapis.sandbox.youtube.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://staging-supportcases-pa-googleapis.corp.google.com
Source: analytics[1].js.2.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: accounts[1].htm0.2.drString found in binary or memory: https://support.corp.google.com
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://support.google
Source: accounts[1].htm0.2.dr, so[1].htm.2.drString found in binary or memory: https://support.google.com
Source: {FC898B81-5ACE-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://support.google.com/acco
Source: accounts[1].htm0.2.drString found in binary or memory: https://support.google.com/accounts/
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://support.google.com/accounts/?hl=en
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://support.google.com/accounts/?hl=en#topic=3382296
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://support.google.com/accounts/?hl=en#topic=3382296cloudapp.azure.com/TOS-loc=US&hl=en.htmlinue
Source: ~DF647CF66800DC8527.TMP.1.drString found in binary or memory: https://support.google.com/accounts/?hl=en45f939.eastus.cloudapp.azure.com/TOS-loc=US&hl=en.htmlinue
Source: m=sy1a,sy1b,sy1c,sy1e,sy1f,sy2z,pwd_view[1].js.2.drString found in binary or memory: https://support.google.com/accounts/answer/7162782
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/accounts?hl=
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/accounts?hl=en-GB
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/accounts?p=existing-account
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/accounts?p=signin_privatebrowsing
Source: operatorParams[1].json.2.drString found in binary or memory: https://support.google.com/chat-upload/support-cases/resumable
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/chrome/answer/6130773
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/chromebook/?p=familylink_accounts?hl=
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/families/answer/7101025
Source: imagestore.dat.2.drString found in binary or memory: https://support.google.com/favicon.ico
Source: imagestore.dat.2.drString found in binary or memory: https://support.google.com/favicon.ico~
Source: accounts[1].htm0.2.drString found in binary or memory: https://support.google.com/inapp/rts_frame
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://supportcases-pa-googleapis.corp.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://test-casespartner-pa.sandbox.googleapis.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://test-externalultron-pa-googleapis.sandbox.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://test-realtimesupport-googleapis.sandbox.google.com
Source: lazy.min[1].js.2.drString found in binary or memory: https://test-scone-pa-googleapis.sandbox.google.com
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://test-supportcases-pa-googleapis.corp.google.com
Source: so[1].htm.2.drString found in binary or memory: https://translate.google.co.uk/?hl
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: cb=gapi[2].js.2.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: so[1].htm.2.drString found in binary or memory: https://www.blogger.com/?tab
Source: analytics[1].js.2.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.2.drString found in binary or memory: https://www.google.%/ads/ga-audiences
Source: so[1].htm.2.drString found in binary or memory: https://www.google.co.uk/finance?tab
Source: so[1].htm.2.drString found in binary or memory: https://www.google.co.uk/intl/en/about/products?tab
Source: so[1].htm.2.drString found in binary or memory: https://www.google.co.uk/save
Source: so[1].htm.2.drString found in binary or memory: https://www.google.co.uk/shopping?hl
Source: so[1].htm.2.drString found in binary or memory: https://www.google.co.uk/webhp?tab
Source: RecoverAccount[1].htm.2.dr, accounts[1].htm0.2.drString found in binary or memory: https://www.google.com
Source: rs=AA2YrTsHV_6QDwsxjHdOvXnpgoeLwIRQsg[1].js.2.drString found in binary or memory: https://www.google.com/_/og/promos/
Source: accounts[1].htm0.2.drString found in binary or memory: https://www.google.com/accounts/TOS
Source: so[1].htm.2.drString found in binary or memory: https://www.google.com/chrome/?brand
Source: so[1].htm.2.drString found in binary or memory: https://www.google.com/enterprise/marketplace
Source: imagestore.dat.2.drString found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.2.drString found in binary or memory: https://www.google.com/favicon.ico~
Source: RecoverAccount[1].htm.2.dr, rs=AA2YrTsHV_6QDwsxjHdOvXnpgoeLwIRQsg[1].js.2.dr, accounts[1].htm0.2.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: accounts[1].htm0.2.drString found in binary or memory: https://www.google.com/recaptcha/api.js?onload=%
Source: accounts[1].htm0.2.drString found in binary or memory: https://www.google.com/search?q=
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.google.com/settings/hatsv2
Source: operatordeferred_bin_base__en[1].js.2.drString found in binary or memory: https://www.googleapis.com
Source: cb=gapi[1].js0.2.drString found in binary or memory: https://www.googleapis.com/auth/plus.login
Source: cb=gapi[2].js.2.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: cb=gapi[2].js.2.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: accounts[1].htm0.2.drString found in binary or memory: https://www.googleapis.com/youtube/v3/videos?part=snippet%2C
Source: analytics[1].js.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: so[1].htm.2.drString found in binary or memory: https://www.gstatic.com
Source: so[1].htm.2.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.re6vWKa2bgc.
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: accounts[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/feedback/js/help/prod/service/lazy.min.js
Source: rs=AA2YrTsHV_6QDwsxjHdOvXnpgoeLwIRQsg[1].js.2.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: RecoverAccount[1].htm.2.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: rs=AA2YrTsHV_6QDwsxjHdOvXnpgoeLwIRQsg[1].js.2.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: rs=AA2YrTsHV_6QDwsxjHdOvXnpgoeLwIRQsg[1].js.2.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: accounts[1].htm0.2.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: lazy.min[1].js.2.drString found in binary or memory: https://www.gstatic.com/support/content/resources/
Source: lazy.min[1].js.2.drString found in binary or memory: https://www.gstatic.com/support/content/resources/%
Source: lazy.min[1].js.2.drString found in binary or memory: https://www.gstatic.com/support/help/staging/main_frame/help_panel_staging_binary.js
Source: www-widgetapi[1].js.2.dr, player_api[1].js.2.drString found in binary or memory: https://www.youtube.com
Source: so[1].htm.2.drString found in binary or memory: https://www.youtube.com/?gl
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.3:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: classification engineClassification label: mal52.phis.win@3/88@5/2
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC2B9C593EF906210.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5908 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5908 CREDAT:17410 /prefetch:2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Drive-by Compromise1Windows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.