Loading ...

Play interactive tourEdit tour

Windows Analysis Report Employee payment plan.HTM

Overview

General Information

Sample Name:Employee payment plan.HTM
Analysis ID:528659
MD5:a388d7098689b73c17f99578caac5954
SHA1:528cedeb607629e01226ecb2bd1cefef65405563
SHA256:7f34faf06d8c3bfd1efaaf9372454c4076d4f7db20e3e6753afddd9353e05c08
Infos:

Most interesting Screenshot:

Detection

Captcha Phish HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
Yara detected Captcha Phish
HTML document with suspicious name
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5608 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\Employee payment plan.HTM MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,11108747202742976980,3893295354224505846,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Employee payment plan.HTMJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected HtmlPhish44Show sources
    Source: Yara matchFile source: Employee payment plan.HTM, type: SAMPLE
    Yara detected Captcha PhishShow sources
    Source: Yara matchFile source: 56049.1.pages.csv, type: HTML
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5608_1135409741\LICENSE.txtJump to behavior
    Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: unknownDNS traffic detected: queries for: clients2.google.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
    Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /?e=rmcgillivray@ardaman.com HTTP/1.1Host: a-tk7.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /main HTTP/1.1Host: a-tk7.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=924hgi3mfco726m66cdif5en57
    Source: global trafficHTTP traffic detected: GET /main/ HTTP/1.1Host: a-tk7.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=924hgi3mfco726m66cdif5en57
    Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://a-tk7.online/main/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /bootstrap/4.3.1/css/bootstrap.min.css HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveOrigin: https://a-tk7.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://a-tk7.online/main/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: a-tk7.onlineConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://a-tk7.online/main/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=924hgi3mfco726m66cdif5en57
    Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Filtering Rules.0.dr, Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: Filtering Rules.0.drString found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Nov 2021 15:02:50 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 209Connection: close
    Source: angular.js.0.drString found in binary or memory: http://angularjs.org
    Source: data_3.1.drString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
    Source: data_3.1.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
    Source: data_3.1.drString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
    Source: data_3.1.drString found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
    Source: angular.js.0.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
    Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: http://llvm.org/):
    Source: data_3.1.drString found in binary or memory: http://ocsp.pki.goog/gsr10)
    Source: data_3.1.drString found in binary or memory: http://ocsp.pki.goog/gts1c301
    Source: data_3.1.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
    Source: data_3.1.drString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
    Source: data_3.1.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
    Source: data_3.1.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0M
    Source: data_3.1.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
    Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: Current Session.0.drString found in binary or memory: https://a-tk7.online
    Source: History Provider Cache.0.drString found in binary or memory: https://a-tk7.online/?e=rmcgillivray
    Source: data_1.1.drString found in binary or memory: https://a-tk7.online/favicon.ico
    Source: data_1.1.drString found in binary or memory: https://a-tk7.online/main
    Source: data_2.1.drString found in binary or memory: https://a-tk7.online/main/
    Source: History Provider Cache.0.drString found in binary or memory: https://a-tk7.online/main/2
    Source: History Provider Cache.0.drString found in binary or memory: https://a-tk7.online/main/2:
    Source: Current Session.0.drString found in binary or memory: https://a-tk7.online/main/D
    Source: Current Session.0.drString found in binary or memory: https://a-tk7.online/main/main.php
    Source: History Provider Cache.0.drString found in binary or memory: https://a-tk7.online/main2
    Source: History Provider Cache.0.drString found in binary or memory: https://a-tk7.online/main2:
    Source: Current Session.0.drString found in binary or memory: https://a-tk7.onlineh
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.dr, manifest.json4.0.drString found in binary or memory: https://accounts.google.com
    Source: craw_window.js.0.drString found in binary or memory: https://accounts.google.com/MergeSession
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.dr, manifest.json4.0.drString found in binary or memory: https://apis.google.com
    Source: pnacl_public_x86_64_crtend_o.0.dr, pnacl_public_x86_64_ld_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
    Source: pnacl_public_x86_64_crtend_o.0.dr, pnacl_public_x86_64_ld_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients2.google.com/cr/report
    Source: manifest.json0.0.dr, manifest.json3.0.dr, manifest.json4.0.dr, manifest.json.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients6.google.com
    Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
    Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.drString found in binary or memory: https://content-autofill.googleapis.com
    Source: data_1.1.drString found in binary or memory: https://content-autofill.googleapis.com/v1/pages/Chc2LjEuMTcxNS4xNDQyL2VuIChHR0xMKRIUCbwrWqS9EIcWEgk
    Source: manifest.json4.0.drString found in binary or memory: https://content.googleapis.com
    Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/.
    Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
    Source: data_2.1.dr, data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/apps-themes
    Source: data_2.1.drString found in binary or memory: https://csp.withgoogle.com/csp/apps-themesCross-Origin-Resource-Policy:
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/apps-themescross-origin-resource-policy:cross-origincross-origin-open
    Source: data_2.1.dr, data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha
    Source: data_2.1.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptchaCross-Origin-Resource-Policy:
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptchacross-origin-resource-policy:cross-origincross-origin-opener
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/apps-themes
    Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
    Source: Reporting and NEL.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptchaX
    Source: Reporting and NEL.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha_
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.dr, 5c30c054-d6d0-4d3d-a5b3-948ac7fbba7b.tmp.1.drString found in binary or memory: https://dns.google
    Source: LICENSE.txt.0.drString found in binary or memory: https://easylist.to/)
    Source: manifest.json4.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json4.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: data_1.1.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2
    Source: data_1.1.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc4.woff2
    Source: data_1.1.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc4.woff2%a
    Source: data_1.1.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2
    Source: manifest.json4.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: material_css_min.css.0.dr, angular.js.0.drString found in binary or memory: https://github.com/angular/material
    Source: LICENSE.txt.0.drString found in binary or memory: https://github.com/easylist)
    Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.clients6.google.com
    Source: manifest.json4.0.drString found in binary or memory: https://hangouts.google.com/
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://meetings.clients6.google.com
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: data_3.1.drString found in binary or memory: https://pki.goog/repository/0
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://play.google.com
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
    Source: 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: craw_window.js.0.dr, manifest.json.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: data_1.1.drString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
    Source: data_1.1.drString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.cssFs&
    Source: messages.json15.0.dr, messages.json66.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json29.0.dr, messages.json37.0.dr, feedback.html.0.dr, messages.json62.0.dr, messages.json73.0.dr, messages.json83.0.dr, messages.json82.0.dr, messages.json46.0.dr, messages.json74.0.dr, messages.json33.0.dr, messages.json35.0.dr, messages.json0.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json57.0.dr, messages.json18.0.dr, messages.json.0.dr, messages.json68.0.dr, messages.json36.0.dr, messages.json67.0.dr, messages.json10.0.dr, messages.json8.0.dr, messages.json2.0.dr, messages.json81.0.dr, messages.json32.0.dr, messages.json11.0.dr, messages.json64.0.dr, messages.json6.0.dr, messages.json34.0.dr, messages.json72.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json15.0.dr, messages.json66.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json29.0.dr, messages.json37.0.dr, feedback.html.0.dr, messages.json62.0.dr, messages.json73.0.dr, messages.json83.0.dr, messages.json82.0.dr, messages.json46.0.dr, messages.json74.0.dr, messages.json33.0.dr, messages.json35.0.dr, messages.json0.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json57.0.dr, messages.json18.0.dr, messages.json.0.dr, messages.json68.0.dr, messages.json36.0.dr, messages.json67.0.dr, messages.json10.0.dr, messages.json8.0.dr, messages.json2.0.dr, messages.json81.0.dr, messages.json32.0.dr, messages.json11.0.dr, messages.json64.0.dr, messages.json6.0.dr, messages.json34.0.dr, messages.json72.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, Current Session.0.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.dr, manifest.json4.0.drString found in binary or memory: https://www.google.com
    Source: 000003.log5.0.dr, manifest.json.0.drString found in binary or memory: https://www.google.com/
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/cleardot.gif
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/dot2.gif
    Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/x2.gif
    Source: craw_background.js.0.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
    Source: mirroring_hangouts.js.0.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: data_1.1.drString found in binary or memory: https://www.google.com/recaptcha/api.js
    Source: data_1.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/
    Source: Current Session.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfeNDgdAAAAAKfVUcAGxh9ZR8-4RaKLBW_I3caW&co=aHR0
    Source: Current Session.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=_7Co1fh8iT2hcjvquYJ_3zSP&k=6LfeNDgdAAAAAKfVUcAG
    Source: data_1.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/payload?p=06AGdBq27PixVdr1DhkCCeLGQskrTCrFvMD40ZKJfg9Q1g7c6Dgy
    Source: data_1.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=_7Co1fh8iT2hcjvquYJ_3zSP
    Source: manifest.json4.0.drString found in binary or memory: https://www.google.com;
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json4.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: a1bfd479-c6af-49a5-9b0b-653f68dcfe48.tmp.1.dr, 3f7a494a-2550-4a7c-a863-c4abd2a9292b.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/api2/audio_2x.png
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/api2/info_2x.png
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/api2/logo_48.png
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/api2/logo_48.pngCgkKBw1TWkfFGgA=I
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/api2/refresh_2x.png
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/_7Co1fh8iT2hcjvquYJ_3zSP/recaptcha__en.js
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/_7Co1fh8iT2hcjvquYJ_3zSP/recaptcha__en.jsD
    Source: data_1.1.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/_7Co1fh8iT2hcjvquYJ_3zSP/styles__ltr.css
    Source: manifest.json4.0.drString found in binary or memory: https://www.gstatic.com;
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

    System Summary:

    barindex
    HTML document with suspicious nameShow sources
    Source: Name includes: Employee payment plan.HTMInitial sample: payment
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\b2c14a94-bc63-4350-8ef8-0471c0cec911.tmpJump to behavior
    Source: classification engineClassification label: mal60.phis.winHTM@37/285@7/11
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\Employee payment plan.HTM
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,11108747202742976980,3893295354224505846,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,11108747202742976980,3893295354224505846,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: QuotaManager.0.drBinary or memory string: CREATE TABLE HostQuotaTable(host TEXT NOT NULL, type INTEGER NOT NULL, quota INTEGER DEFAULT 0, UNIQUE(host, type));
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FA594-15E8.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5608_1135409741\LICENSE.txtJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol5Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer3SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.