Windows Analysis Report dot#U007eremit-2458 xls.HtmL

Overview

General Information

Sample Name: dot#U007eremit-2458 xls.HtmL
Analysis ID: 510715
MD5: 06c955ee1ca950c2e27338b6821091b4
SHA1: f2be2b388ec301e4d599495f2fe2f5c5e4f8f9d5
SHA256: b85342496c69b4ec5bee7128f82884b68bcfac016b287a6d86a981f63c03130c
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
Yara detected HtmlPhish6
HTML document with suspicious title
HTML document with suspicious name
Found iframes
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
IP address seen in connection with other malware

Classification

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: 83002.0.pages.csv, type: HTML
Source: Yara match File source: 15382.1.pages.csv, type: HTML
Yara detected HtmlPhish6
Source: Yara match File source: 15382.1.pages.csv, type: HTML
Found iframes
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: Has password / email / username input fields
No HTML title found
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: HTML title missing
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5936_681274031\LICENSE.txt Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: unknown HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.23:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.23:443 -> 192.168.2.3:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.3:49793 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.18.10.207 104.18.10.207
Source: Joe Sandbox View IP Address: 151.101.112.193 151.101.112.193
Source: Joe Sandbox View IP Address: 151.101.112.193 151.101.112.193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
Source: angular.js.0.dr String found in binary or memory: http://angularjs.org
Source: angular.js.0.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr String found in binary or memory: http://llvm.org/):
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: data_1.1.dr String found in binary or memory: http://yourjavascript.com/12250612439/090.js
Source: Reporting and NEL.1.dr String found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=%2FRBnmoNIMQK9TQOYuzH35FEgCAr3VX6mucpDWkjAvUpDkvOxZ8hDcSQyV
Source: Reporting and NEL.1.dr String found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=1SInTFG%2Bw7oyTqDsCPmAUFPyez6Gt5KzVNqb8mweFCzd%2FF%2BCAPFGd
Source: Reporting and NEL.1.dr String found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=oiOwVIvsFcpIOuZEGT%2FaLqnGjYwRmut7V1w%2B9GxXqR9HT%2BHbZW8le
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.js
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficc
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/jquery.3.5.min_dc940oomzau4rsu8qesnvg2.js
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo.png
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2-small_e58aafc980614a9cd7796bea7b
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_7916a894ebde7d29c2cc29b267f1299f
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, manifest.json0.0.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://ajax.googleapis.com
Source: data_1.1.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: data_1.1.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: data_1.1.dr, data_2.1.dr String found in binary or memory: https://api-images.statvoo.com/favicon/?domain=dot.gov
Source: data_2.1.dr String found in binary or memory: https://api-images.statvoo.com/favicon/?domain=dot.govCF-Cache-Status:
Source: data_1.1.dr String found in binary or memory: https://api.statvoo.com/favicon/?url=dot.gov
Source: data_2.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://apis.google.com
Source: mirroring_common.js.0.dr String found in binary or memory: https://apis.google.com/js/client.js
Source: mirroring_common.js.0.dr String found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: data_1.1.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: data_1.1.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.jsM
Source: pnacl_public_x86_64_libcrt_platform_a.0.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.0.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.0.dr, mirroring_cast_streaming.js.0.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json1.0.dr, manifest.json.0.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://clients6.google.com
Source: pnacl_public_x86_64_ld_nexe.0.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.0.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: data_1.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.min.js
Source: manifest.json0.0.dr String found in binary or memory: https://content.googleapis.com
Source: mirroring_cast_streaming.js.0.dr, common.js.0.dr String found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: LICENSE.txt.0.dr String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: data_3.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
Source: data_3.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushersCross-Origin-Resource-Policy:
Source: Reporting and NEL.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
Source: data_3.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, 7b2e096e-bf85-43a2-b455-d0d216acec4a.tmp.1.dr, d4e2e6fd-494c-4bbe-8cac-5157a02d2090.tmp.1.dr, 8e6a9af4-4995-4e3a-9334-48f34435fdd0.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://dns.google
Source: mirroring_common.js.0.dr String found in binary or memory: https://docs.google.com
Source: LICENSE.txt.0.dr String found in binary or memory: https://easylist.to/)
Source: manifest.json0.0.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.0.dr String found in binary or memory: https://fonts.googleapis.com;
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.0.dr String found in binary or memory: https://fonts.gstatic.com;
Source: material_css_min.css.0.dr String found in binary or memory: https://github.com/angular/material
Source: LICENSE.txt.0.dr String found in binary or memory: https://github.com/easylist)
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json0.0.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: data_1.1.dr String found in binary or memory: https://i.ibb.co/Ks1Ymjk/aw2.png
Source: data_1.1.dr String found in binary or memory: https://i.ibb.co/XJ3Zqnc/off.png
Source: data_1.1.dr String found in binary or memory: https://i.ibb.co/XJ3Zqnc/off.png2O
Source: data_1.1.dr String found in binary or memory: https://i.imgur.com/z6J7jf0.png
Source: Reporting and NEL.1.dr String found in binary or memory: https://identity.nel.measure.office.net/api/report?catId=GW
Source: Current Session.0.dr String found in binary or memory: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://mcusercontent.com
Source: data_1.1.dr String found in binary or memory: https://mcusercontent.com/fad37b9e64aebdb27a12f1f90/files/0fa2711d-f9fc-2f9d-315c-63f68426b165/boots
Source: data_1.1.dr String found in binary or memory: https://mcusercontent.com/fad37b9e64aebdb27a12f1f90/files/bcc3a6bb-c040-3016-ea9e-a7d670211df3/all.c
Source: mirroring_common.js.0.dr String found in binary or memory: https://meet.google.com
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://meetings.clients6.google.com
Source: mirroring_common.js.0.dr String found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json1.0.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://play.google.com
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://r4---sn-4g5ednsl.gvt1.com
Source: data_3.1.dr String found in binary or memory: https://r4---sn-4g5ednsl.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.1.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: craw_window.js.0.dr, manifest.json1.0.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: data_2.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://ssl.gstatic.com
Source: data_1.1.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: data_1.1.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js
Source: data_1.1.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js
Source: messages.json41.0.dr, feedback.html.0.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json41.0.dr, feedback.html.0.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: data_2.1.dr String found in binary or memory: https://www.google-analytics.com;report-uri
Source: data_2.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://www.google.com
Source: manifest.json1.0.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: data_1.1.dr, data_2.1.dr String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=dot.gov
Source: data_2.1.dr String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=dot.govCF-Cache-Status:
Source: data_1.1.dr String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=dot.govD
Source: feedback_script.js.0.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json0.0.dr String found in binary or memory: https://www.google.com;
Source: dfaf24ef-dfc7-40a2-bffa-6260bbafff15.tmp.1.dr, 2409d322-c3eb-4258-a9bb-b339049274b5.tmp.1.dr, edc54a22-ef3a-416d-936b-10193b4fa724.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.0.dr String found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.0.dr String found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: data_2.1.dr, 1eaa37f7-aa40-406a-8631-e187995e1dce.tmp.1.dr String found in binary or memory: https://www.gstatic.com
Source: common.js.0.dr String found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
Source: manifest.json0.0.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fad37b9e64aebdb27a12f1f90/files/0fa2711d-f9fc-2f9d-315c-63f68426b165/bootstrap.min.css HTTP/1.1Host: mcusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fad37b9e64aebdb27a12f1f90/files/bcc3a6bb-c040-3016-ea9e-a7d670211df3/all.css HTTP/1.1Host: mcusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/4.3.1/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/4.3.1/js/bootstrap.bundle.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ajax/libs/jquery/3.3.1/jquery.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /Ks1Ymjk/aw2.png HTTP/1.1Host: i.ibb.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /z6J7jf0.png HTTP/1.1Host: i.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_7916a894ebde7d29c2cc29b267f1299f.jpg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/images/microsoft_logo.png HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.png HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3945.png HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficcw2.css HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /XJ3Zqnc/off.png HTTP/1.1Host: i.ibb.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/jquery.3.5.min_dc940oomzau4rsu8qesnvg2.js HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.js HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon/?url=dot.gov HTTP/1.1Host: api.statvoo.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon/?domain=dot.gov HTTP/1.1Host: api-images.statvoo.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /s2/favicons?sz=64&domain_url=dot.gov HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msftauth.net
Source: global traffic HTTP traffic detected: GET /favicon/?url=dot.gov HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: api.statvoo.com
Source: global traffic HTTP traffic detected: GET /favicon/?domain=dot.gov HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: api-images.statvoo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s2/favicons?sz=64&domain_url=dot.gov HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Connection: Keep-AliveHost: www.google.com
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /12250612439/090.js HTTP/1.1Host: yourjavascript.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /home/css/jquery.session.min.js HTTP/1.1Host: 201911040231048719416.onamaeweb.jpConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknown HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.23:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.23:443 -> 192.168.2.3:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.3:49793 version: TLS 1.2

System Summary:

barindex
HTML document with suspicious title
Source: file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL Tab title: Sign in
HTML document with suspicious name
Source: Name includes: dot#U007eremit-2458 xls.HtmL Initial sample: remit
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\dot#U007eremit-2458 xls.HtmL'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,11413708673817816944,4008373660854409865,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,11413708673817816944,4008373660854409865,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: dot#U007eremit-2458 xls.HtmL Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-617A9FED-1730.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\674836b9-d067-4c30-92ce-680edc53db37.tmp Jump to behavior
Source: classification engine Classification label: mal64.phis.winHTML@34/258@22/17
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\5936_681274031\LICENSE.txt Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510715 Sample: dot#U007eremit-2458 xls.HtmL Startdate: 28/10/2021 Architecture: WINDOWS Score: 64 20 www.google.com 2->20 22 i.ibb.co 2->22 24 4 other IPs or domains 2->24 36 Yara detected HtmlPhish10 2->36 38 Yara detected HtmlPhish6 2->38 40 HTML document with suspicious name 2->40 42 HTML document with suspicious title 2->42 7 chrome.exe 16 439 2->7         started        signatures3 process4 dnsIp5 26 192.168.2.1 unknown unknown 7->26 28 239.255.255.250 unknown Reserved 7->28 14 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 7->14 dropped 16 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 7->16 dropped 18 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 7->18 dropped 11 chrome.exe 34 7->11         started        file6 process7 dnsIp8 30 i.ibb.co 145.239.131.55, 443, 49757, 49772 OVHFR France 11->30 32 201911040231048719416.onamaeweb.jp 150.95.219.148, 49760, 49761, 80 INTERQGMOInternetIncJP Japan 11->32 34 21 other IPs or domains 11->34
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.228
 www.google.com United States
15169 GOOGLEUS false
104.18.10.207
 stackpath.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
151.101.112.193
 ipv4.imgur.map.fastly.net United States
54113 FASTLYUS false
104.16.18.94
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false
145.239.131.55
 i.ibb.co France
16276 OVHFR false
172.217.16.142
 clients.l.google.com United States
15169 GOOGLEUS false
172.67.159.15
 api-images.statvoo.com United States
13335 CLOUDFLARENETUS false
172.217.16.129
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
104.21.41.23
 api.statvoo.com United States
13335 CLOUDFLARENETUS false
5.189.183.184
 yourjavascript.com Germany
51167 CONTABODE false
239.255.255.250
 unknown Reserved
unknown unknown false
150.95.219.148
 201911040231048719416.onamaeweb.jp Japan 7506 INTERQGMOInternetIncJP false
34.96.122.219
 mcusercontent.com United States
15169 GOOGLEUS false
216.58.212.141
 accounts.google.com United States
15169 GOOGLEUS false
152.199.23.37
 cs1100.wpc.omegacdn.net United States
15133 EDGECASTUS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
stackpath.bootstrapcdn.com 104.18.10.207 true
cs1100.wpc.omegacdn.net 152.199.23.37 true
accounts.google.com 216.58.212.141 true
mcusercontent.com 34.96.122.219 true
api.statvoo.com 104.21.41.23 true
api-images.statvoo.com 172.67.159.15 true
i.ibb.co 145.239.131.55 true
yourjavascript.com 5.189.183.184 true
cdnjs.cloudflare.com 104.16.18.94 true
www.google.com 142.250.185.228 true
clients.l.google.com 172.217.16.142 true
201911040231048719416.onamaeweb.jp 150.95.219.148 true
googlehosted.l.googleusercontent.com 172.217.16.129 true
ipv4.imgur.map.fastly.net 151.101.112.193 true
aadcdn.msftauth.net unknown unknown
aadcdn.msauth.net unknown unknown
clients2.googleusercontent.com unknown unknown
clients2.google.com unknown unknown
code.jquery.com unknown unknown
i.imgur.com unknown unknown
login.microsoftonline.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js false
    		high
    https://www.google.com/s2/favicons?sz=64&domain_url=dot.gov false
      		high
      https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392 false
        		high
        https://api.statvoo.com/favicon/?url=dot.gov false
        • Avira URL Cloud: safe
        		 unknown
        https://aadcdn.msftauth.net/shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3945.png false
        • Avira URL Cloud: safe
        		 unknown
        http://201911040231048719416.onamaeweb.jp/home/css/jquery.session.min.js false
        • Avira URL Cloud: safe
        		 unknown
        https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_7916a894ebde7d29c2cc29b267f1299f.jpg false
        • Avira URL Cloud: safe
        		 unknown
        https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js false
          		high
          https://i.ibb.co/Ks1Ymjk/aw2.png false
            		high
            https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico false
            • URL Reputation: safe
            		 unknown
            https://api-images.statvoo.com/favicon/?domain=dot.gov false
            • Avira URL Cloud: safe
            		 unknown
            https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
              		high
              http://yourjavascript.com/12250612439/090.js false
              • Avira URL Cloud: safe
              		 unknown
              https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js false
                		high
                https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js false
                  		high
                  https://i.imgur.com/z6J7jf0.png false
                    		high
                    https://clients2.googleusercontent.com/crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx false
                      		high
                      https://mcusercontent.com/fad37b9e64aebdb27a12f1f90/files/bcc3a6bb-c040-3016-ea9e-a7d670211df3/all.css false
                      • Avira URL Cloud: safe
                      		 unknown
                      https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
                        		high
                        https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo.png false
                        • Avira URL Cloud: safe
                        		 unknown
                        https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.js false
                        • Avira URL Cloud: safe
                        		 unknown
                        https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg false
                        • Avira URL Cloud: safe
                        		 unknown
                        https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficcw2.css false
                        • Avira URL Cloud: safe
                        		 unknown
                        file:///C:/Users/user/Desktop/dot%23U007eremit-2458%20xls.HtmL true
                          		low
                          https://mcusercontent.com/fad37b9e64aebdb27a12f1f90/files/0fa2711d-f9fc-2f9d-315c-63f68426b165/bootstrap.min.css false
                          • Avira URL Cloud: safe
                          		 unknown