Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.io

Overview

General Information

Sample URL:https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.io
Analysis ID:502281
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish10
Phishing site detected (based on logo template match)
URL contains potential PII (phishing indication)
HTML body contains low number of good links
No HTML title found

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5008 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.io' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6184 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,15913376204894206676,13153788505041309777,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3JoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: 93495.1.pages.csv, type: HTML
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3, type: DROPPED
    Phishing site detected (based on logo template match)Show sources
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookMatcher: Template: unicredit matched
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioSample URL: PII: andy@candies-twentytwo.io
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: Number of links: 1
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: Number of links: 1
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: HTML title missing
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: HTML title missing
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: No <meta name="author".. found
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: No <meta name="author".. found
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: No <meta name="copyright".. found
    Source: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookHTTP Parser: No <meta name="copyright".. found
    Source: unknownHTTPS traffic detected: 67.227.248.137:443 -> 192.168.2.4:49801 version: TLS 1.2
    Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
    Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
    Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
    Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/?email=andy@candies-twentytwo.io HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/css/api.css HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/config.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/framework.min.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/bundle.min.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/framework.min.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/bundle.min.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/images/favicon/manifest.json HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/images/favicon/favicon-32x32.png HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/images/favicon/android-chrome-192x192.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: insurance.insuretym.com
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/images/favicon/favicon-16x16.png HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/images/favicon/favicon-96x96.png HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/images/favicon/android-chrome-192x192.png HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlook HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.ioAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/js/config.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/css/style.css HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/css/pikaday.css HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/js/framework.min.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/js/bundle.min.js HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/images/icons/icons.svg HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /office365.com HTTP/1.1Host: logo.clearbit.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/images/background.svg HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/fonts/Roboto-Medium.woff2 HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveOrigin: https://insurance.insuretym.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/css/style.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/fonts/Roboto-Regular.woff2 HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveOrigin: https://insurance.insuretym.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/css/style.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=a9a88841c8ace1d77f8ef4a0c3414822
    Source: global trafficHTTP traffic detected: GET /wp-include/reports/genWeb/webmail/images/favicon/manifest.json HTTP/1.1Host: insurance.insuretym.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&redirect_uri=https%3A%2F%2Fwww.candies-twentytwo.io%2F&protectedtoken=false&id=Y2FuZGllcy10d2VudHl0d28uaW8=&Country=US&x=YW5keUBjYW5kaWVzLXR3ZW50eXR3by5pbw==&i=outlookAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:13 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:13 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:13 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:14 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:15 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:16 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:16 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:17 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:17 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:18 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:18 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:26 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:12:27 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://insurance.insuretym.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
    Source: angular.js.0.drString found in binary or memory: http://angularjs.org
    Source: data_3.1.drString found in binary or memory: http://candies-twentytwo.io/favicon.ico
    Source: data_2.1.drString found in binary or memory: http://dbushell.com/
    Source: angular.js.0.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, manifest.json0.0.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://accounts.google.com
    Source: craw_window.js.0.drString found in binary or memory: https://accounts.google.com/MergeSession
    Source: 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://ajax.googleapis.com
    Source: Network Action Predictor.0.drString found in binary or memory: https://ajax.googleapis.com/
    Source: data_1.1.dr, 5dc4e4e594caf8e4_0.0.dr, data_3.1.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
    Source: data_1.1.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.jsvar
    Source: data_2.1.drString found in binary or memory: https://api.w.org/
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, manifest.json0.0.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://apis.google.com
    Source: mirroring_common.js.0.drString found in binary or memory: https://apis.google.com/js/client.js
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/android-chrome-192x192.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-114x114.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-120x120.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-144x144.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-152x152.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-180x180.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-57x57.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-60x60.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-72x72.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/apple-touch-icon-76x76.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/favicon-32x32.png
    Source: data_3.1.drString found in binary or memory: https://candies-twentytwo.io/images/favicon/favicon-96x96.png
    Source: mirroring_common.js.0.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: mirroring_hangouts.js.0.dr, mirroring_cast_streaming.js.0.drString found in binary or memory: https://clients2.google.com/cr/report
    Source: manifest.json0.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients6.google.com
    Source: 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://content-autofill.googleapis.com
    Source: data_1.1.drString found in binary or memory: https://content-autofill.googleapis.com/v1/pages/Chc2LjEuMTcxNS4xNDQyL2VuIChHR0xMKRIfCRV0lK_FUffSEgk
    Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
    Source: mirroring_cast_streaming.js.0.dr, common.js.0.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushersCross-Origin-Resource-Policy:
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a2d20088-966f-4854-bb7f-fccd8a615bd4.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.dr, 0c6c11d4-dd66-426c-bb49-4aa2b819fff2.tmp.1.drString found in binary or memory: https://dns.google
    Source: mirroring_common.js.0.drString found in binary or memory: https://docs.google.com
    Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: material_css_min.css.0.drString found in binary or memory: https://github.com/angular/material
    Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.clients6.google.com
    Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
    Source: Current Session.0.drString found in binary or memory: https://insurance.insuretym.com
    Source: Network Action Predictor.0.drString found in binary or memory: https://insurance.insuretym.com/
    Source: History.0.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/images/favicon/android-chrome-192x192.png
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/images/favicon/favicon-16x16.png
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/images/favicon/favicon-32x32.png
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/images/favicon/favicon-96x96.png
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/images/favicon/manifest.json
    Source: Current Session.0.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/
    Source: History.0.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/?client_id=FgjdptDJGZoUaM7YHx41X8&
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/css/api.css
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/css/pikaday.css
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/css/style.css
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/css/style.css%
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/fonts/Roboto-Medium.woff2
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/fonts/Roboto-Regular.woff2
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/fonts/Roboto-Regular.woff2ChIKBw3n
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/images/background.svg
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/images/favicon/manifest.json
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/images/favicon/manifest.jsonD
    Source: data_1.1.dr, 8f75485cfa400fd0_0.0.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/js/bundle.min.js
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/js/bundle.min.js8
    Source: data_1.1.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/js/config.js
    Source: data_1.1.dr, eaf07a6405f89499_0.0.drString found in binary or memory: https://insurance.insuretym.com/wp-include/reports/genWeb/webmail/js/framework.min.js
    Source: data_2.1.drString found in binary or memory: https://insurance.insuretym.com/wp-json/
    Source: 8f75485cfa400fd0_0.0.drString found in binary or memory: https://insuretym.com/
    Source: data_3.1.drString found in binary or memory: https://logo.clearbit.com/office365.com
    Source: data_1.1.drString found in binary or memory: https://logo.clearbit.com/office365.com?
    Source: mirroring_common.js.0.drString found in binary or memory: https://meet.google.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://meetings.clients6.google.com
    Source: mirroring_common.js.0.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://play.google.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.drString found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json106.0.dr, feedback.html.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json106.0.dr, feedback.html.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
    Source: Current Session.0.drString found in binary or memory: https://www.candies-twentytwo.io/
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, manifest.json0.0.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json.0.drString found in binary or memory: https://www.google.com/
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/cleardot.gif
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/dot2.gif
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/x2.gif
    Source: craw_background.js.0.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: feedback_script.js.0.drString found in binary or memory: https://www.google.com/tools/feedback
    Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: mirroring_common.js.0.drString found in binary or memory: https://www.googleapis.com/calendar/v3
    Source: mirroring_common.js.0.drString found in binary or memory: https://www.googleapis.com/hangouts/v1
    Source: 544892d2-36a4-4312-ac0c-04c6d912b729.tmp.1.dr, a226f832-3cc3-4dcd-9bbb-44b349591bdf.tmp.1.dr, 4d3d671e-5f60-40db-bf20-d8c9b1efc9da.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: common.js.0.drString found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
    Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: unknownHTTPS traffic detected: 67.227.248.137:443 -> 192.168.2.4:49801 version: TLS 1.2
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\d8597684-ff92-4815-b1ab-e3f0a7de006e.tmpJump to behavior
    Source: classification engineClassification label: mal52.phis.win@30/222@14/9
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://insurance.insuretym.com/wp-include/reports/genWeb/?email=andy@candies-twentytwo.io'
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,15913376204894206676,13153788505041309777,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,15913376204894206676,13153788505041309777,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61671369-1390.pmaJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol5Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer3SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet