Loading ...

Play interactive tourEdit tour

Analysis Report xerox for hycite.htm

Overview

General Information

Sample Name:xerox for hycite.htm
Analysis ID:356247
MD5:158eb35645b71b26b2afd86759768631
SHA1:c4d06a2c43fd948127d9dfc9880302163cae82ea
SHA256:5873df6b96a855b79f32aaf44098777bbac335debc6a9ebee8aadcf50fd7077a

Most interesting Screenshot:

Detection

HTMLPhisher
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Yara detected obfuscated html page
Phishing site detected (based on image similarity)
Phishing site detected (based on logo template match)
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
Invalid 'forgot password' link found
JA3 SSL client fingerprint seen in connection with other malware

Classification

Startup

  • System is w10x64
  • chrome.exe (PID: 6436 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\xerox for hycite.htm' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6632 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,9969516566149389704,7036051267904063449,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1696 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
xerox for hycite.htmJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: https://www.curryhut.de/vendor/bin/data/common/loginMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish_10Show sources
    Source: Yara matchFile source: 21604.pages.csv, type: HTML
    Yara detected obfuscated html pageShow sources
    Source: Yara matchFile source: xerox for hycite.htm, type: SAMPLE
    Phishing site detected (based on image similarity)Show sources
    Source: https://www.curryhut.de/vendor/bin/data/common/loginMatcher: Found strong image similarity, brand: Microsoft image: 21604.img.2.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
    Phishing site detected (based on logo template match)Show sources
    Source: https://www.curryhut.de/vendor/bin/data/common/loginMatcher: Template: microsoft matched
    Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)Show sources
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: var gentot = ('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); var udud = 'IwNu62QANGBSsEMgreNYD3ziVTUEG3rx+wJPD/DrMs/o3gn62+kahgPOODA3+fCgfUyBWC5J1c/fpGBSqnEyyvnzeaRGU7UqxZDHB3VRbxc31DMgqlYbivT9lnpnijXvUnaVAAec6u+HKTvPI2h3pwWwYQd76IXtyhHKAgy46YCOn04kJlQAYHzjWTgJ7hVDCFiSdTaRAwZPRj1hLBki5FeYGExv5eZVixbVhuw090/76xDJW/oSUHtgdiBPLGvIrjxpWAa9T4OMrQroOImRNXFGHRJLqROiwYZXIayLzqQwbwvDAj9hrn1VSAGZjngcMBJNs4jPHesSTKHLo2pVbF3ZAYFX1HwjxIpRWILcC4ljSpLw14YbB1AAVvq3OGFHyZ354XCbe90xI+fsk0RD9dG4dsipJbfwrkER7avBKRJKZyDCDhJ/6qs2hPn4Hk1JbbukuqKnc1A/ut54Wy/gbsiSDkedhlBLQrIJULBEimblN39rPYrgyy8MRVurWaG/lxpEGA4dkq8XCOrnpDNOQbfvk9ngAp5HpFnqhHmIh5+85/Ow0tMRLTgnHfMbQnOQOIglvxvmP8GhiZW8y+lHTTug/AUhXFXKBqFvu4nweMfEzG7fK+xf850jwrFoQBM2/who7DAw+Supl/Xct1L20uLrEOE7D5Zziv++3WMdCpkxs7LUkAIMg7INPsTGDuNUjj4q9yLaI2it8FANP1711q2KklZQn99HJ8l+VvanWh/7bSDQE6GLAmSAl8ToQx027KJril/7fVB0OR7dpVMt8qKqpfT7rLsTsAzI8rmiZK/ZLuPXj+h7tCDdFsoY2kJHHBMPmZ6HCLXPWqe1KdVlnKjUHkSR6fb6BTVFXQyQrg4AC6P0c9xW4Hh6r02asHlwNe+TAUiduZ4yUa/mMxyaqmuHi7SySiunFgmICwrILy1LvAEC4PSXUvXnltx3ZfdoUZ5oPujit2ivxxx738BQngIlC8Nj1dGnLpMR1OVFehNbxH7UJvrtawwR2Ibaq2/4lRau784EyS0CKZFxdQRENaEX+BzF2Ccbrh7pr15X1rInCHm8r8+jc1ARzSVWJpiqvS1zzJoXRVX6vcpFrM7AabFCCTcHWsEILPNk5TnUECwf2Zyz61rQApCZHHW9m3ikPHC1xLZiehDL3R0iygW6sWHvlRMBbl5EpqBynMTIZ3972JhI8VrnxlNTNWWSPCBtMOuA1bl7Kfdq6SpAlHzKQ08oU4TBcOQmZvK5U7S8NK8NZf/YHp5lev6vtWOcrZ3StdnFv5ZlHy1UL8N+yj19o9Dgcp2jaz5zE8hwyzWnGGRCOgFbhYX5JORjgHfy1yGWziTlu9tR8el2DEA07wQcLuOl9oYQKg6cJsI6cYmqXZ56k1/hf8H9E/cDaP+oqajiWyeWIXuD9zev5ROKU8EnL3F73SSfb7p0xjVom4DugArL2D3i1kCPLVEUegSQ0zH03XsoF7f1YfRMkAO8xfVEgaJP6kIGZbvIu936jFyZdn22c4t1CxxP1QciRnsfr75IK091gJ+cPJRBD3GaXerFvd8TbPLeSwxiYIu12/oVQsKonuRSThmk44AMoqA+KKD8Qpx171UiBesPvQ0e/LtnHVbOYXeL8rk3D+41+C8uN7f7HJOnU+4e72YfXhWRbqCNHjrBG6ZXFgRQv59PqDK3Nx72sfZgLi546YGC5MHLbO0gm4vyzZ2yo/Cd7Pns7I/pTUi4F+GJpVV8F5eOlXkDFY+CdjpzFlyuzuw0JWYPWhgjqDr8rINQFV0kqvDE2zsxgPGE3y3tdulzaVc0tIFzXkfGEY3e3Y1oyVlzVdCembg2avmAApAt9YRbFWXvjha2ZUpSaUU9m5H8Dy/D0QnUGLHJv8ST7peMuUxAayt8ExMVP2aL9tHYaMFoBniVHsm+r5Q3w5SH9QClkYMvxOSh+xM2SP6Mx57nhy/Px6Wj3oQhuW0DbJVo9GmLaSaXMXwOUwxpVbUbxNDt5Y0ypHd5hfLEG2S6xEM+Pipv6PwRcYBanft3Zjsil21jYgabIa7cWBfSro1Beug1Q8eEreLBXsB5+67gSct9mCQ4dYJwfe2E1EQs87zUhLpeq+FFI/R7ShVuhOCzCF2rqktjDeIvF1TEYb9XbMeYnYcWBhfuye7nQCLAyd1c3EJn9pr2Iu406aFEfUU7PfSb/DQdlJJ3wiOMA1d3nkpWuh26oJnJJB1kWlyaQSg6Nk9BDiq6AAOKGb76XVVbF3d5BieQrPR6YJDZ2joYCfZskD2CUwOr5AhI6bcQbI4Ps9q+6drA/727tsOgEfr+Vbk0LTvmuzGoPqE5mw25jpjedJWa6hLkVq/OHDk8aOOMNvxTMq2IaMx65cZHjauolRjsmliM606G7x9xL0AynotCC5EPDLFpsRBG6qlODiytGtjF3Qt0jTzZkTPUQYT6864eSOPxvsrrZtWCN9wW4E1wkVHJQR7ZSGm/jSCL1ioJ6MhlVTsRUXs8Rlqn5ZEMyaK7W7lhJFnrNez+iSs8vZ5a9wk4te2l1SdnbKsN+GQ9laOiAVpeiPtwU7DiY+nOmYxBpd7sZx1AV3laZrSMkEGHGwvdopKdlookeY6UlkEzx4JrcLsQWD7meXzuRExzavYkQt4Iuw2zF2QO/8KlNynuyeMfzu8IlYJIiC8im9UOVu2WDc1jHU4AEkDPiSu8GFZs5cIrRbJfhPFjZR3envnS6oLAq5fj1qnAz4cRsc27+A3BCOvy5ZwAA8uv9ElRmvC3lHKoaG3Hqg+THtKstAYLHWl7bTXgr2MwUzgg9Ayy7ELLu+lvyaTqImyqrw7sfprB1fWdGi02SCglqb2QxAAtV6x6dX6adckcSyFurdm1Z2h7qMX/i5rfIW8rt5aBaVEvPotk1XdxxMaMBV9a
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: var gentot = ('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); var udud = 'IwNu62QANGBSsEMgreNYD3ziVTUEG3rx+wJPD/DrMs/o3gn62+kahgPOODA3+fCgfUyBWC5J1c/fpGBSqnEyyvnzeaRGU7UqxZDHB3VRbxc31DMgqlYbivT9lnpnijXvUnaVAAec6u+HKTvPI2h3pwWwYQd76IXtyhHKAgy46YCOn04kJlQAYHzjWTgJ7hVDCFiSdTaRAwZPRj1hLBki5FeYGExv5eZVixbVhuw090/76xDJW/oSUHtgdiBPLGvIrjxpWAa9T4OMrQroOImRNXFGHRJLqROiwYZXIayLzqQwbwvDAj9hrn1VSAGZjngcMBJNs4jPHesSTKHLo2pVbF3ZAYFX1HwjxIpRWILcC4ljSpLw14YbB1AAVvq3OGFHyZ354XCbe90xI+fsk0RD9dG4dsipJbfwrkER7avBKRJKZyDCDhJ/6qs2hPn4Hk1JbbukuqKnc1A/ut54Wy/gbsiSDkedhlBLQrIJULBEimblN39rPYrgyy8MRVurWaG/lxpEGA4dkq8XCOrnpDNOQbfvk9ngAp5HpFnqhHmIh5+85/Ow0tMRLTgnHfMbQnOQOIglvxvmP8GhiZW8y+lHTTug/AUhXFXKBqFvu4nweMfEzG7fK+xf850jwrFoQBM2/who7DAw+Supl/Xct1L20uLrEOE7D5Zziv++3WMdCpkxs7LUkAIMg7INPsTGDuNUjj4q9yLaI2it8FANP1711q2KklZQn99HJ8l+VvanWh/7bSDQE6GLAmSAl8ToQx027KJril/7fVB0OR7dpVMt8qKqpfT7rLsTsAzI8rmiZK/ZLuPXj+h7tCDdFsoY2kJHHBMPmZ6HCLXPWqe1KdVlnKjUHkSR6fb6BTVFXQyQrg4AC6P0c9xW4Hh6r02asHlwNe+TAUiduZ4yUa/mMxyaqmuHi7SySiunFgmICwrILy1LvAEC4PSXUvXnltx3ZfdoUZ5oPujit2ivxxx738BQngIlC8Nj1dGnLpMR1OVFehNbxH7UJvrtawwR2Ibaq2/4lRau784EyS0CKZFxdQRENaEX+BzF2Ccbrh7pr15X1rInCHm8r8+jc1ARzSVWJpiqvS1zzJoXRVX6vcpFrM7AabFCCTcHWsEILPNk5TnUECwf2Zyz61rQApCZHHW9m3ikPHC1xLZiehDL3R0iygW6sWHvlRMBbl5EpqBynMTIZ3972JhI8VrnxlNTNWWSPCBtMOuA1bl7Kfdq6SpAlHzKQ08oU4TBcOQmZvK5U7S8NK8NZf/YHp5lev6vtWOcrZ3StdnFv5ZlHy1UL8N+yj19o9Dgcp2jaz5zE8hwyzWnGGRCOgFbhYX5JORjgHfy1yGWziTlu9tR8el2DEA07wQcLuOl9oYQKg6cJsI6cYmqXZ56k1/hf8H9E/cDaP+oqajiWyeWIXuD9zev5ROKU8EnL3F73SSfb7p0xjVom4DugArL2D3i1kCPLVEUegSQ0zH03XsoF7f1YfRMkAO8xfVEgaJP6kIGZbvIu936jFyZdn22c4t1CxxP1QciRnsfr75IK091gJ+cPJRBD3GaXerFvd8TbPLeSwxiYIu12/oVQsKonuRSThmk44AMoqA+KKD8Qpx171UiBesPvQ0e/LtnHVbOYXeL8rk3D+41+C8uN7f7HJOnU+4e72YfXhWRbqCNHjrBG6ZXFgRQv59PqDK3Nx72sfZgLi546YGC5MHLbO0gm4vyzZ2yo/Cd7Pns7I/pTUi4F+GJpVV8F5eOlXkDFY+CdjpzFlyuzuw0JWYPWhgjqDr8rINQFV0kqvDE2zsxgPGE3y3tdulzaVc0tIFzXkfGEY3e3Y1oyVlzVdCembg2avmAApAt9YRbFWXvjha2ZUpSaUU9m5H8Dy/D0QnUGLHJv8ST7peMuUxAayt8ExMVP2aL9tHYaMFoBniVHsm+r5Q3w5SH9QClkYMvxOSh+xM2SP6Mx57nhy/Px6Wj3oQhuW0DbJVo9GmLaSaXMXwOUwxpVbUbxNDt5Y0ypHd5hfLEG2S6xEM+Pipv6PwRcYBanft3Zjsil21jYgabIa7cWBfSro1Beug1Q8eEreLBXsB5+67gSct9mCQ4dYJwfe2E1EQs87zUhLpeq+FFI/R7ShVuhOCzCF2rqktjDeIvF1TEYb9XbMeYnYcWBhfuye7nQCLAyd1c3EJn9pr2Iu406aFEfUU7PfSb/DQdlJJ3wiOMA1d3nkpWuh26oJnJJB1kWlyaQSg6Nk9BDiq6AAOKGb76XVVbF3d5BieQrPR6YJDZ2joYCfZskD2CUwOr5AhI6bcQbI4Ps9q+6drA/727tsOgEfr+Vbk0LTvmuzGoPqE5mw25jpjedJWa6hLkVq/OHDk8aOOMNvxTMq2IaMx65cZHjauolRjsmliM606G7x9xL0AynotCC5EPDLFpsRBG6qlODiytGtjF3Qt0jTzZkTPUQYT6864eSOPxvsrrZtWCN9wW4E1wkVHJQR7ZSGm/jSCL1ioJ6MhlVTsRUXs8Rlqn5ZEMyaK7W7lhJFnrNez+iSs8vZ5a9wk4te2l1SdnbKsN+GQ9laOiAVpeiPtwU7DiY+nOmYxBpd7sZx1AV3laZrSMkEGHGwvdopKdlookeY6UlkEzx4JrcLsQWD7meXzuRExzavYkQt4Iuw2zF2QO/8KlNynuyeMfzu8IlYJIiC8im9UOVu2WDc1jHU4AEkDPiSu8GFZs5cIrRbJfhPFjZR3envnS6oLAq5fj1qnAz4cRsc27+A3BCOvy5ZwAA8uv9ElRmvC3lHKoaG3Hqg+THtKstAYLHWl7bTXgr2MwUzgg9Ayy7ELLu+lvyaTqImyqrw7sfprB1fWdGi02SCglqb2QxAAtV6x6dX6adckcSyFurdm1Z2h7qMX/i5rfIW8rt5aBaVEvPotk1XdxxMaMBV9a
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: Number of links: 0
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: Number of links: 0
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: Title: Enter your password does not match URL
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: Title: Enter your password does not match URL
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: Invalid link: Forgot my password
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: Invalid link: Forgot my password
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: No <meta name="author".. found
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: No <meta name="author".. found
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: No <meta name="copyright".. found
    Source: https://www.curryhut.de/vendor/bin/data/common/loginHTTP Parser: No <meta name="copyright".. found

    Compliance:

    barindex
    Creates a directory in C:\Program FilesShow sources
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Creates license or readme fileShow sources
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\6436_163599434\LICENSE.txtJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 92.204.219.148:443 -> 192.168.2.3:49729 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 92.204.219.148:443 -> 192.168.2.3:49745 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Joe Sandbox ViewJA3 fingerprint: b32309a26951912be7dba376398abc3b
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /inbox/66d676172636961406879636974652e636f6d HTTP/1.1Host: euro2.safelinks.protection.hycite.mkanet.com.brConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ad.*^ajaxpipe^ equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ad.*^ajaxpipe^Z equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: unknownDNS traffic detected: queries for: euro2.safelinks.protection.hycite.mkanet.com.br
    Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: Favicons.0.drString found in binary or memory: http://euro2.safelinks.protection.hycite.mkanet.com.br/inbox/66d676172636961406879636974652e636f6d
    Source: History Provider Cache.0.drString found in binary or memory: http://euro2.safelinks.protection.hycite.mkanet.com.br/inbox/66d676172636961406879636974652e636f6d2
    Source: Favicons.0.drString found in binary or memory: http://euro2.safelinks.protection.hycite.mkanet.com.br/inbox/66d676172636961406879636974652e636f6d8
    Source: History.0.drString found in binary or memory: http://euro2.safelinks.protection.hycite.mkanet.com.br/inbox/66d676172636961406879636974652e636f6dEn
    Source: manifest.json0.0.dr, b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://accounts.google.com
    Source: Ruleset Data.0.drString found in binary or memory: https://adwords.google.com/
    Source: manifest.json0.0.dr, b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://apis.google.com
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: manifest.json0.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.drString found in binary or memory: https://content-autofill.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
    Source: 1aa724cf792052df_0.0.drString found in binary or memory: https://curryhut.de/K
    Source: 695de0af-ffc2-4c28-bc33-7aadafac8e1d.tmp.1.dr, b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.dr, 81597e5e-51ec-4e46-99d0-380bb257020f.tmp.1.drString found in binary or memory: https://dns.google
    Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://play.google.com
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.drString found in binary or memory: https://r2---sn-4g5ednsy.gvt1.com
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: Current Session.0.dr, b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.drString found in binary or memory: https://www.curryhut.de
    Source: Network Action Predictor.0.drString found in binary or memory: https://www.curryhut.de/
    Source: Current Session.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/
    Source: Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/?ss=2&ea=66d676172636961406879636974652e636f6d
    Source: History Provider Cache.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/?ss=2&ea=66d676172636961406879636974652e636f6d2
    Source: History.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/?ss=2&ea=66d676172636961406879636974652e636f6dEnter
    Source: Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/?ss=2&ea=66d676172636961406879636974652e636f6dg
    Source: Current Session.0.dr, Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/common/login
    Source: History Provider Cache.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/common/login2
    Source: History.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/common/loginEnter
    Source: 1aa724cf792052df_0.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/files/enc.js
    Source: Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/files2/favicon.ico
    Source: Current Session.0.dr, Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/login.php?ss=2&ea=66d676172636961406879636974652e636f6d
    Source: History Provider Cache.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/login.php?ss=2&ea=66d676172636961406879636974652e636f6d2
    Source: History.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data/login.php?ss=2&ea=66d676172636961406879636974652e636f6dEnter
    Source: Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data?ss=2&ea=66d676172636961406879636974652e636f6d
    Source: History Provider Cache.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data?ss=2&ea=66d676172636961406879636974652e636f6d2
    Source: History.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data?ss=2&ea=66d676172636961406879636974652e636f6dEnter
    Source: Favicons.0.drString found in binary or memory: https://www.curryhut.de/vendor/bin/data?ss=2&ea=66d676172636961406879636974652e636f6dd
    Source: manifest.json0.0.dr, b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json.0.drString found in binary or memory: https://www.google.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: b0afc06f-4b92-4c3f-bc6d-fee8371e7619.tmp.1.dr, e025eb74-386b-44ca-9ec7-b862b5c4620f.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownHTTPS traffic detected: 92.204.219.148:443 -> 192.168.2.3:49729 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 92.204.219.148:443 -> 192.168.2.3:49745 version: TLS 1.2
    Source: classification engineClassification label: mal76.phis.winHTM@39/189@5/6
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60347F79-1924.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\18b0406f-e190-436e-b911-ac4b03219b3f.tmpJump to behavior
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\xerox for hycite.htm'
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,9969516566149389704,7036051267904063449,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1696 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,9969516566149389704,7036051267904063449,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1696 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\6436_163599434\LICENSE.txtJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Path InterceptionProcess Injection1Masquerading3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped