Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proof oF Payment.htm

Overview

General Information

Sample Name:Proof oF Payment.htm
Analysis ID:509223
MD5:0727b75ec19fbc0337f69ceb06d56694
SHA1:ddbd82337b70dbfba9c2a244b4cd2d962ab7552b
SHA256:f9e764b07015f388de096a1b240b7d7e96ce615abf32c63f7afc848a1822ae2a
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish10
HTML document with suspicious title
Phishing site detected (based on various OCR indicators)
HTML document with suspicious name
PE file contains an invalid checksum
Drops PE files
None HTTPS page querying sensitive user data (password, username or email)
PE file contains sections with non-standard names
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5048 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Proof oF Payment.htm' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 4388 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,5238171420075082225,5461324810935906513,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1964 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Proof oF Payment.htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: Proof oF Payment.htm, type: SAMPLE
    Source: Yara matchFile source: 11693.0.pages.csv, type: HTML
    Phishing site detected (based on various OCR indicators)Show sources
    Source: ScreenshotsOCR Text: Sign in to view the document D0 0
    Source: ScreenshotsOCR Text: Downloading proxy script,,. O Type here to search E Yd Adobe POEX + <- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm a X *i Sign in to view the document D0 0 Turn on Windows Firewall Windows Firewall is turned off. Tap or click to turn it on. Security and Maintenance Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to view the document D0 0 Yd Adobe PDFX + t- e G) File I C:/Users/user/Desktop/Proof%20oF%20Payment.htm - a X *i Sign in to vie
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5048_2090465519\LICENSE.txtJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: unknownHTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49775 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49776 version: TLS 1.2
    Source: Binary string: widevinecdm.dll.pdb source: widevinecdm.dll.1.dr
    Source: Binary string: widevinecdm.dll.pdb@ source: widevinecdm.dll.1.dr
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 104.19.143.111 104.19.143.111
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: Ruleset Data.1.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Filtering Rules.1.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: Filtering Rules.1.drString found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Oct 2021 07:12:14 GMTContent-Type: text/plain; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 6a41e006cb614e26-FRACache-Control: public, max-age=31536000Expires: Wed, 26 Oct 2022 07:12:14 GMTVary: Accept-EncodingVia: 1.1 googleCF-Cache-Status: EXPIREDExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-Content-Type-Options: nosniffServer: cloudflare
    Source: angular.js.1.drString found in binary or memory: http://angularjs.org
    Source: widevinecdm.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: widevinecdm.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: widevinecdm.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: widevinecdm.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: angular.js.1.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
    Source: pnacl_public_x86_64_pnacl_sz_nexe.1.drString found in binary or memory: http://llvm.org/):
    Source: widevinecdm.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: widevinecdm.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: widevinecdm.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: widevinecdm.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, manifest.json4.1.drString found in binary or memory: https://accounts.google.com
    Source: craw_window.js.1.drString found in binary or memory: https://accounts.google.com/MergeSession
    Source: data_1.2.drString found in binary or memory: https://api.ipify.org/?format=json
    Source: Proof oF Payment.htmString found in binary or memory: https://api.ipify.org?format=json
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, manifest.json4.1.drString found in binary or memory: https://apis.google.com
    Source: mirroring_common.js.1.drString found in binary or memory: https://apis.google.com/js/client.js
    Source: mirroring_common.js.1.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
    Source: pnacl_public_x86_64_libcrt_platform_a.1.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
    Source: pnacl_public_x86_64_libcrt_platform_a.1.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.drString found in binary or memory: https://clients2.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://clients2.google.com/cr/report
    Source: manifest.json0.1.dr, manifest.json5.1.dr, manifest.json.1.dr, manifest.json3.1.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://clients6.google.com
    Source: pnacl_public_x86_64_ld_nexe.1.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
    Source: pnacl_public_x86_64_ld_nexe.1.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
    Source: Proof oF Payment.htm, data_1.2.drString found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.js
    Source: data_1.2.drString found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.jst
    Source: manifest.json4.1.drString found in binary or memory: https://content.googleapis.com
    Source: common.js.1.dr, mirroring_cast_streaming.js.1.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
    Source: LICENSE.txt.1.drString found in binary or memory: https://creativecommons.org/.
    Source: LICENSE.txt.1.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
    Source: data_2.2.drString found in binary or memory: https://csp.withgoogle.com/csp/apps-themes
    Source: data_2.2.drString found in binary or memory: https://csp.withgoogle.com/csp/apps-themesCross-Origin-Resource-Policy:
    Source: data_2.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/apps-themes
    Source: data_3.2.dr, Reporting and NEL.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/encsid_AZM8iraMxxUfRnRum-EGst9UuHcPNVSf9Kp1_90wIgU
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, b3e269f4-88fe-40f9-99e0-653c8a04299f.tmp.2.dr, 18ac3252-3be5-45df-8dc9-3756c5c5d51d.tmp.2.drString found in binary or memory: https://dns.google
    Source: mirroring_common.js.1.drString found in binary or memory: https://docs.google.com
    Source: LICENSE.txt.1.drString found in binary or memory: https://easylist.to/)
    Source: manifest.json4.1.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.drString found in binary or memory: https://fonts.googleapis.com
    Source: data_1.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=PT
    Source: manifest.json4.1.drString found in binary or memory: https://fonts.googleapis.com;
    Source: data_3.2.drString found in binary or memory: https://fonts.gstatic.com
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0-ExdGM.woff2)
    Source: data_1.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2)
    Source: data_1.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2I
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0aExdGM.woff2)
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizaRExUiTo99u79D0yExdGM.woff2)
    Source: data_1.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0O6tLQ.woff2
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0O6tLQ.woff2)
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0OCtLQ0Z.woff2)
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0OOtLQ0Z.woff2)
    Source: data_2.2.drString found in binary or memory: https://fonts.gstatic.com/s/ptsans/v12/jizfRExUiTo99u79B_mh0OqtLQ0Z.woff2)
    Source: manifest.json4.1.drString found in binary or memory: https://fonts.gstatic.com;
    Source: angular.js.1.drString found in binary or memory: https://github.com/angular/material
    Source: LICENSE.txt.1.drString found in binary or memory: https://github.com/easylist)
    Source: craw_background.js.1.dr, craw_window.js.1.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://hangouts.clients6.google.com
    Source: manifest.json4.1.drString found in binary or memory: https://hangouts.google.com/
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
    Source: Proof oF Payment.htmString found in binary or memory: https://i.gyazo.com/049bc4624875e35c9a678af7eb99bb95.jpg)
    Source: Proof oF Payment.htmString found in binary or memory: https://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNi
    Source: Proof oF Payment.htmString found in binary or memory: https://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBj
    Source: mirroring_common.js.1.drString found in binary or memory: https://meet.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://meetings.clients6.google.com
    Source: mirroring_common.js.1.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.drString found in binary or memory: https://ogs.google.com
    Source: manifest.json0.1.dr, craw_window.js.1.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.drString found in binary or memory: https://r4---sn-h0jeln7l.gvt1.com
    Source: data_1.2.drString found in binary or memory: https://r4---sn-h0jeln7l.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=102.1
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.drString found in binary or memory: https://redirector.gvt1.com
    Source: data_1.2.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
    Source: Proof oF Payment.htmString found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/check.svg);background-size:
    Source: manifest.json0.1.dr, craw_window.js.1.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json123.1.dr, feedback.html.1.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json123.1.dr, feedback.html.1.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: craw_background.js.1.dr, craw_window.js.1.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
    Source: widevinecdm.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, manifest.json4.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json0.1.drString found in binary or memory: https://www.google.com/
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/images/cleardot.gif
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/images/dot2.gif
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/images/x2.gif
    Source: craw_background.js.1.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: feedback_script.js.1.drString found in binary or memory: https://www.google.com/tools/feedback
    Source: manifest.json4.1.drString found in binary or memory: https://www.google.com;
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.dr, craw_background.js.1.dr, craw_window.js.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json4.1.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: mirroring_common.js.1.drString found in binary or memory: https://www.googleapis.com/calendar/v3
    Source: mirroring_common.js.1.drString found in binary or memory: https://www.googleapis.com/hangouts/v1
    Source: 921752e4-5ab0-42e9-a075-305abe17a27d.tmp.2.dr, 2ac370c6-5316-458a-b972-7967e1864dc1.tmp.2.drString found in binary or memory: https://www.gstatic.com
    Source: common.js.1.drString found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
    Source: manifest.json4.1.drString found in binary or memory: https://www.gstatic.com;
    Source: Proof oF Payment.htmString found in binary or memory: https://www.moneyminerxyx.xyz/dude/post.php
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: unknownDNS traffic detected: queries for: clients2.google.com
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /049bc4624875e35c9a678af7eb99bb95.jpg HTTP/1.1Host: i.gyazo.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNiMzJmP2RmNmZlMjQ+MmJjZmRhMTI1MzUwMGQyPmRhNjc0ZiFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fadobe-logo-5CC38E11AD-seeklogo.com.png&fmlBlkTk HTTP/1.1Host: mail1.ccistack.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBjPmIyNjJlMT41MT82MGM+MDExZGI/YzU/MDcwYTZmMzMyMyFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fAdobe_PDF-logo-D4883D5CD6-seeklogo.com.png&fmlBlkTk HTTP/1.1Host: mail1.ccistack.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /s/ptsans/v12/jizfRExUiTo99u79B_mh0O6tLQ.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://fonts.googleapis.com/css?family=PT+Sans:400,700Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /s/ptsans/v12/jizaRExUiTo99u79D0KExQ.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://fonts.googleapis.com/css?family=PT+Sans:400,700Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-aliveAccept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6MWYyZDNiMzJmP2RmNmZlMjQ+MmJjZmRhMTI1MzUwMGQyPmRhNjc0ZiFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fadobe-logo-5CC38E11AD-seeklogo.com.png&fmlBlkTk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: mail1.ccistack.com
    Source: global trafficHTTP traffic detected: GET /fmlurlsvc/?fewReq=:B:JVc9NjIyPSFxOjUpNyFuYzo3Nj03NiF0bmBpZnNydWI6YTc/YTBjPmIyNjJlMT41MT82MGM+MDExZGI/YzU/MDcwYTZmMzMyMyFzOjYxNDI2PjE0MjYhdm5jOjY+V0tEUjBENzc+Mjc+KjY+V0tEUjBDNzc+Mjc+IXVkd3M6bGtmZnRxZmlzb2hodUdkZG5qZm5rKWRoaiFkOjY+IW9jazo3&url=https%3a%2f%2fseeklogo.com%2fimages%2fA%2fAdobe_PDF-logo-D4883D5CD6-seeklogo.com.png&fmlBlkTk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: mail1.ccistack.com
    Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: unknownHTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49775 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 198.11.15.51:443 -> 192.168.2.6:49776 version: TLS 1.2

    System Summary:

    barindex
    HTML document with suspicious titleShow sources
    Source: file:///C:/Users/user/Desktop/Proof%20oF%20Payment.htmTab title: Adobe PDF
    HTML document with suspicious nameShow sources
    Source: Name includes: Proof oF Payment.htmInitial sample: payment
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Proof oF Payment.htm'
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,5238171420075082225,5461324810935906513,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1964 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,5238171420075082225,5461324810935906513,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1964 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: Proof oF Payment.htmJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-617828DA-13B8.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\fe8830a3-4063-495e-9a21-c6fc9807610c.tmpJump to behavior
    Source: classification engineClassification label: mal60.phis.winHTM@35/263@8/10
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: Binary string: widevinecdm.dll.pdb source: widevinecdm.dll.1.dr
    Source: Binary string: widevinecdm.dll.pdb@ source: widevinecdm.dll.1.dr
    Source: widevinecdm.dll.1.drStatic PE information: real checksum: 0x9e9a16 should be:
    Source: widevinecdm.dll.1.drStatic PE information: section name: .00cfg
    Source: widevinecdm.dll.1.drStatic PE information: section name: .rodata
    Source: widevinecdm.dll.1.drStatic PE information: section name: _RDATA
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5048_1274014156\_platform_specific\win_x64\widevinecdm.dllJump to dropped file
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5048_2090465519\LICENSE.txtJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol5Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer3SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped