Windows Analysis Report Proof oF Payment.htm

Overview

General Information

Sample Name: Proof oF Payment.htm
Analysis ID: 509223
MD5: 0727b75ec19fbc0337f69ceb06d56694
SHA1: ddbd82337b70dbfba9c2a244b4cd2d962ab7552b
SHA256: f9e764b07015f388de096a1b240b7d7e96ce615abf32c63f7afc848a1822ae2a
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
HTML document with suspicious title
Phishing site detected (based on various OCR indicators)
HTML document with suspicious name
PE file contains an invalid checksum
Drops PE files
None HTTPS page querying sensitive user data (password, username or email)
PE file contains sections with non-standard names
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
IP address seen in connection with other malware

Classification

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: Proof oF Payment.htm, type: SAMPLE
Source: Yara match File source: 11693.0.pages.csv, type: HTML
Phishing site detected (based on various OCR indicators)
Source: Screenshots OCR Text: Sign in to view the document D0 0
Source: Screenshots OCR Text: Downloading proxy script,,. O Type here to search E Yd Adobe POEX + <- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm a X *i Sign in to view the document D0 0 Turn on Windows Firewall Windows Firewall is turned off. Tap or click to turn it on. Security and Maintenance Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to vie
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: Has password / email / username input fields
No HTML title found
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: HTML title missing
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5048_2090465519\LICENSE.txt Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: unknown HTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: Binary string: widevinecdm.dll.pdb source: widevinecdm.dll.1.dr
Source: Binary string: widevinecdm.dll.pdb@ source: widevinecdm.dll.1.dr

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.19.143.111 104.19.143.111
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: Ruleset Data.1.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.1.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.1.dr String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Oct 2021 07:12:14 GMTContent-Type: text/plain; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 6a41e006cb614e26-FRACache-Control: public, max-age=31536000Expires: Wed, 26 Oct 2022 07:12:14 GMTVary: Accept-EncodingVia: 1.1 googleCF-Cache-Status: EXPIREDExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-Content-Type-Options: nosniffServer: cloudflare
Source: angular.js.1.dr String found in binary or memory: http://angularjs.org
Source: widevinecdm.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: widevinecdm.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: widevinecdm.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: widevinecdm.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: angular.js.1.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.1.dr String found in binary or memory: http://llvm.org/):
Source: widevinecdm.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: widevinecdm.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: widevinecdm.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: widevinecdm.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, manifest.json4.1.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.1.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: data_1.2.dr String found in binary or memory: https://api.ipify.org/?format=json
Source: Proof oF Payment.htm String found in binary or memory: https://api.ipify.org?format=json
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, manifest.json4.1.dr String found in binary or memory: https://apis.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://apis.google.com/js/client.js
Source: mirroring_common.js.1.dr String found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json0.1.dr, manifest.json5.1.dr, manifest.json.1.dr, manifest.json3.1.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients6.google.com
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: Proof oF Payment.htm, data_1.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.js
Source: data_1.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.jst
Source: manifest.json4.1.dr String found in binary or memory: https://content.googleapis.com
Source: common.js.1.dr, mirroring_cast_streaming.js.1.dr String found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: LICENSE.txt.1.dr String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.1.dr String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: data_2.2.dr String found in binary or memory: https://csp.withgoogle.com/csp/apps-themes
Source: data_2.2.dr String found in binary or memory: https://csp.withgoogle.com/csp/apps-themesCross-Origin-Resource-Policy:
Source: data_2.2.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/apps-themes
Source: data_3.2.dr, Reporting and NEL.2.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/encsid_AZM8iraMxxUfRnRum-EGst9UuHcPNVSf9Kp1_90wIgU
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, b3e269f4-88fe-40f9-99e0-653c8a04299f.tmp.2.dr, 18ac3252-3be5-45df-8dc9-3756c5c5d51d.tmp.2.dr String found in binary or memory: https://dns.google
Source: mirroring_common.js.1.dr String found in binary or memory: https://docs.google.com
Source: LICENSE.txt.1.dr String found in binary or memory: https://easylist.to/)
Source: manifest.json4.1.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr String found in binary or memory: https://fonts.googleapis.com
Source: data_1.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=PT
Source: manifest.json4.1.dr String found in binary or memory: https://fonts.googleapis.com;
Source: data_3.2.dr String found in binary or memory: https://fonts.gstatic.com
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0-ExdGM.woff2)
Source: data_1.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2)
Source: data_1.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2I
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0aExdGM.woff2)
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0yExdGM.woff2)
Source: data_1.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0O6tLQ.woff2
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0O6tLQ.woff2)
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0OCtLQ0Z.woff2)
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0OOtLQ0Z.woff2)
Source: data_2.2.dr String found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0OqtLQ0Z.woff2)
Source: manifest.json4.1.dr String found in binary or memory: https://fonts.gstatic.com;
Source: angular.js.1.dr String found in binary or memory: https://github.com/angular/material
Source: LICENSE.txt.1.dr String found in binary or memory: https://github.com/easylist)
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json4.1.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: Proof oF Payment.htm String found in binary or memory: https://i.gyazo.com/049bc4624875e35c9a678af7eb99bb95.jpg)
Source: Proof oF Payment.htm String found in binary or memory: https://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNi
Source: Proof oF Payment.htm String found in binary or memory: https://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBj
Source: mirroring_common.js.1.dr String found in binary or memory: https://meet.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://meetings.clients6.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json0.1.dr, craw_window.js.1.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr String found in binary or memory: https://r4---sn-h0jeln7l.gvt1.com
Source: data_1.2.dr String found in binary or memory: https://r4---sn-h0jeln7l.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=102.1
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.2.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: Proof oF Payment.htm String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/check.svg);background-size:
Source: manifest.json0.1.dr, craw_window.js.1.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json123.1.dr, feedback.html.1.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json123.1.dr, feedback.html.1.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: widevinecdm.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, manifest.json4.1.dr String found in binary or memory: https://www.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.1.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.1.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json4.1.dr String found in binary or memory: https://www.google.com;
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json4.1.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr String found in binary or memory: https://www.gstatic.com
Source: common.js.1.dr String found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
Source: manifest.json4.1.dr String found in binary or memory: https://www.gstatic.com;
Source: Proof oF Payment.htm String found in binary or memory: https://www.moneyminerxyx.xyz/dude/post.php
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /049bc4624875e35c9a678af7eb99bb95.jpg HTTP/1.1Host: i.gyazo.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNiMzJmP2RmNmZlMjQ+MmJjZmRhMTI1MzUwMGQyPmRhNjc0ZiFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fadobe-logo-5CC38E11AD-seeklogo.com.png&fmlBlkTk HTTP/1.1Host: mail1.ccistack.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBjPmIyNjJlMT41MT82MGM+MDExZGI/YzU/MDcwYTZmMzMyMyFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fAdobe_PDF-logo-D4883D5CD6-seeklogo.com.png&fmlBlkTk HTTP/1.1Host: mail1.ccistack.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /s/ptsans/v12/jizfRExUiTo99u79B_mh0O6tLQ.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://fonts.googleapis.com/css?family=PT+Sans:400,700Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://fonts.googleapis.com/css?family=PT+Sans:400,700Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-aliveAccept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNiMzJmP2RmNmZlMjQ+MmJjZmRhMTI1MzUwMGQyPmRhNjc0ZiFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fadobe-logo-5CC38E11AD-seeklogo.com.png&fmlBlkTk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: mail1.ccistack.com
Source: global traffic HTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBjPmIyNjJlMT41MT82MGM+MDExZGI/YzU/MDcwYTZmMzMyMyFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fAdobe_PDF-logo-D4883D5CD6-seeklogo.com.png&fmlBlkTk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: mail1.ccistack.com
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown HTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49776 version: TLS 1.2

System Summary:

barindex
HTML document with suspicious title
Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm Tab title: Adobe PDF
HTML document with suspicious name
Source: Name includes: Proof oF Payment.htm Initial sample: payment
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Proof oF Payment.htm'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,5238171420075082225,5461324810935906513,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1964 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,5238171420075082225,5461324810935906513,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1964 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Proof oF Payment.htm Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-617828DA-13B8.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\fe8830a3-4063-495e-9a21-c6fc9807610c.tmp Jump to behavior
Source: classification engine Classification label: mal60.phis.winHTM@35/263@8/10
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: Binary string: widevinecdm.dll.pdb source: widevinecdm.dll.1.dr
Source: Binary string: widevinecdm.dll.pdb@ source: widevinecdm.dll.1.dr

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: widevinecdm.dll.1.dr Static PE information: real checksum: 0x9e9a16 should be:
PE file contains sections with non-standard names
Source: widevinecdm.dll.1.dr Static PE information: section name: .00cfg
Source: widevinecdm.dll.1.dr Static PE information: section name: .rodata
Source: widevinecdm.dll.1.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5048_1274014156\_platform_specific\win_x64\widevinecdm.dll Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5048_2090465519\LICENSE.txt Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509223 Sample: Proof oF Payment.htm Startdate: 26/10/2021 Architecture: WINDOWS Score: 60 22 mail1.ccistack.com 2->22 34 Yara detected HtmlPhish10 2->34 36 HTML document with suspicious name 2->36 38 HTML document with suspicious title 2->38 40 Phishing site detected (based on various OCR indicators) 2->40 7 chrome.exe 16 458 2->7         started        signatures3 process4 dnsIp5 24 192.168.2.1 unknown unknown 7->24 26 239.255.255.250 unknown Reserved 7->26 14 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 7->14 dropped 16 C:\Users\user\AppData\...\widevinecdm.dll, PE32+ 7->16 dropped 18 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 7->18 dropped 20 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 7->20 dropped 11 chrome.exe 20 7->11         started        file6 process7 dnsIp8 28 gstaticadssl.l.google.com 142.250.185.131, 443, 49761, 49763 GOOGLEUS United States 11->28 30 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 49778 GOOGLEUS United States 11->30 32 10 other IPs or domains 11->32
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.19.143.111
 i.gyazo.com United States
13335 CLOUDFLARENETUS false
3.232.242.170
 api.ipify.org.herokudns.com United States
14618 AMAZON-AESUS false
216.58.215.238
 clients.l.google.com United States
15169 GOOGLEUS false
198.11.15.51
 mail1.ccistack.com United States
27241 AS-CP01US false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.185.131
 gstaticadssl.l.google.com United States
15169 GOOGLEUS false
142.250.186.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.203.109
 accounts.google.com United States
15169 GOOGLEUS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
gstaticadssl.l.google.com 142.250.185.131 true
accounts.google.com 142.250.203.109 true
api.ipify.org.herokudns.com 3.232.242.170 true
i.gyazo.com 104.19.143.111 true
mail1.ccistack.com 198.11.15.51 true
clients.l.google.com 216.58.215.238 true
googlehosted.l.googleusercontent.com 142.250.186.97 true
clients2.googleusercontent.com unknown unknown
clients2.google.com unknown unknown
code.jquery.com unknown unknown
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNiMzJmP2RmNmZlMjQ+MmJjZmRhMTI1MzUwMGQyPmRhNjc0ZiFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fadobe-logo-5CC38E11AD-seeklogo.com.png&fmlBlkTk false
  • Avira URL Cloud: safe
 unknown
https://i.gyazo.com/049bc4624875e35c9a678af7eb99bb95.jpg false
    		high
    https://clients2.googleusercontent.com/crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx false
      		high
      https://api.ipify.org/?format=json false
        		high
        https://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBjPmIyNjJlMT41MT82MGM+MDExZGI/YzU/MDcwYTZmMzMyMyFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fAdobe_PDF-logo-D4883D5CD6-seeklogo.com.png&fmlBlkTk false
        • Avira URL Cloud: safe
        		 unknown
        https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
          		high
          https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
            		high
            file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htm true
              		low