Windows Analysis Report ATT01313.html

Overview

General Information

Sample Name: ATT01313.html
Analysis ID: 532945
MD5: 027f314bda86a9517f7b24bbf521002d
SHA1: 6bbe8faa7fc39e0f2d6d74bdab3e1d862aa7c078
SHA256: 8de7a668306be50a3c5030352dfe19014c1ebd4cb8ea285ee066fedf0aef5d13
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
HTML document with suspicious title
Phishing site detected (based on logo template match)
Phishing site detected (based on image similarity)
Found iframes
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
IP address seen in connection with other malware

Classification

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: 30509.0.pages.csv, type: HTML
Phishing site detected (based on logo template match)
Source: file:///C:/Users/user/Desktop/ATT01313.html Matcher: Template: microsoft matched
Phishing site detected (based on image similarity)
Source: file:///C:/Users/user/Desktop/ATT01313.html Matcher: Found strong image similarity, brand: Microsoft image: 07755.1.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
Found iframes
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: Has password / email / username input fields
No HTML title found
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: HTML title missing
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/ATT01313.html HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\6724_1565279191\LICENSE.txt Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: unknown HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.3:49747 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr, Ruleset Data.0.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
Source: ATT01313.html, data_1.1.dr String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
Source: angular.js.0.dr String found in binary or memory: http://angularjs.org
Source: angular.js.0.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr String found in binary or memory: http://llvm.org/):
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.0.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: Reporting and NEL.1.dr String found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=jfxAbdt3uQg1zk2oMdnA9ZYWenT8yrG6XAVsXNTeq7OPvyeflrYMzpImNnD
Source: ATT01313.html String found in binary or memory: https://aadcdn.msftauth.net
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.js
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.jsz
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficc
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_lgjnfq3xbrj5zvj5ionvw
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/jquery.3.5.min_dc940oomzau4rsu8qesnvg2.js
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo.png
Source: ATT01313.html String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_7cc096da6aa2dba3f81fcc1c8262157c.pn
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.sv
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2-small_e58aafc980614a9cd7796bea7b
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_7916a894ebde7d29c2cc29b267f1299f
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90b
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3
Source: data_1.1.dr String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, manifest.json7.0.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, manifest.json7.0.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://apis.google.com
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: pnacl_public_x86_64_crtend_o.0.dr, pnacl_public_x86_64_ld_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_crtend_o.0.dr, pnacl_public_x86_64_ld_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json7.0.dr, manifest.json0.0.dr, manifest.json6.0.dr, manifest.json.0.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://clients6.google.com
Source: pnacl_public_x86_64_ld_nexe.0.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.0.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.slim.min.js
Source: data_1.1.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.slim.min.jsC
Source: manifest.json7.0.dr String found in binary or memory: https://content.googleapis.com
Source: LICENSE.txt.0.dr String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.dr String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: data_1.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
Source: data_1.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushersCross-Origin-Resource-Policy:
Source: Reporting and NEL.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
Source: data_1.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 628e7bf3-2d4a-4754-aca7-39fdd76c73da.tmp.1.dr, 6f85145e-1dfe-4e32-abeb-6dbb677051c1.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://dns.google
Source: LICENSE.txt.0.dr String found in binary or memory: https://easylist.to/)
Source: manifest.json7.0.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json7.0.dr String found in binary or memory: https://fonts.googleapis.com;
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json7.0.dr String found in binary or memory: https://fonts.gstatic.com;
Source: material_css_min.css.0.dr, angular.js.0.dr String found in binary or memory: https://github.com/angular/material
Source: LICENSE.txt.0.dr String found in binary or memory: https://github.com/easylist)
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json7.0.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: Reporting and NEL.1.dr String found in binary or memory: https://identity.nel.measure.office.net/api/report?catId=GW
Source: data_1.1.dr String found in binary or memory: https://login.live.com/Me.htm?v=3
Source: data_2.1.dr String found in binary or memory: https://login.microsoftonline.com
Source: ATT01313.html String found in binary or memory: https://login.microsoftonline.com/jsdisabled
Source: ATT01313.html String found in binary or memory: https://login.microsoftonline.com/logout.srf?ct=1548343592&amp;rver=64.4.6456.0&amp;lc=1033&amp;id=5
Source: Current Session.0.dr String found in binary or memory: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: data_2.1.dr String found in binary or memory: https://login.windows-ppe.net
Source: ATT01313.html, data_1.1.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://meetings.clients6.google.com
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json.0.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://play.google.com
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://r4---sn-4g5lznle.gvt1.com
Source: data_3.1.dr String found in binary or memory: https://r4---sn-4g5lznle.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.1.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: craw_window.js.0.dr, manifest.json.0.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json15.0.dr, messages.json66.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json29.0.dr, messages.json49.0.dr, feedback.html.0.dr, messages.json61.0.dr, messages.json69.0.dr, messages.json62.0.dr, messages.json59.0.dr, messages.json83.0.dr, messages.json39.0.dr, messages.json33.0.dr, messages.json0.0.dr, messages.json48.0.dr, messages.json85.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json87.0.dr, messages.json76.0.dr, messages.json.0.dr, messages.json68.0.dr, messages.json51.0.dr, messages.json50.0.dr, messages.json67.0.dr, messages.json10.0.dr, messages.json9.0.dr, messages.json8.0.dr, messages.json2.0.dr, messages.json60.0.dr, messages.json52.0.dr, messages.json31.0.dr, messages.json32.0.dr, messages.json11.0.dr, messages.json6.0.dr, messages.json34.0.dr, messages.json1.0.dr, messages.json86.0.dr, messages.json30.0.dr, messages.json84.0.dr, messages.json58.0.dr, messages.json12.0.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json15.0.dr, messages.json66.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json29.0.dr, messages.json49.0.dr, feedback.html.0.dr, messages.json61.0.dr, messages.json69.0.dr, messages.json62.0.dr, messages.json59.0.dr, messages.json83.0.dr, messages.json39.0.dr, messages.json33.0.dr, messages.json0.0.dr, messages.json48.0.dr, messages.json85.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json87.0.dr, messages.json76.0.dr, messages.json.0.dr, messages.json68.0.dr, messages.json51.0.dr, messages.json50.0.dr, messages.json67.0.dr, messages.json10.0.dr, messages.json9.0.dr, messages.json8.0.dr, messages.json2.0.dr, messages.json60.0.dr, messages.json52.0.dr, messages.json31.0.dr, messages.json32.0.dr, messages.json11.0.dr, messages.json6.0.dr, messages.json34.0.dr, messages.json1.0.dr, messages.json86.0.dr, messages.json30.0.dr, messages.json84.0.dr, messages.json58.0.dr, messages.json12.0.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: craw_window.js.0.dr, craw_background.js.0.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, manifest.json7.0.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://www.google.com
Source: manifest.json.0.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.0.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.0.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json7.0.dr String found in binary or memory: https://www.google.com;
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json7.0.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: e2e64232-ce3b-4ec9-b8e7-437a71cca98d.tmp.1.dr, 70d7de6f-c8fb-4e7a-8b5f-8805e4f2084a.tmp.1.dr String found in binary or memory: https://www.gstatic.com
Source: manifest.json7.0.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: accounts.google.com
Source: global traffic HTTP traffic detected: GET /ajax/libs/popper.js/1.14.0/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_lgjnfq3xbrj5zvj5ionvww2.css HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /bootstrap/3.3.7/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_7916a894ebde7d29c2cc29b267f1299f.jpg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/images/microsoft_logo.png HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.png HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3945.png HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficcw2.css HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/jquery.3.5.min_dc940oomzau4rsu8qesnvg2.js HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.js HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: application/signed-exchange;v=b3;q=0.9,*/*;q=0.8Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msftauth.net
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msftauth.net
Source: global traffic HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msftauth.net
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.3:49747 version: TLS 1.2

System Summary:

barindex
HTML document with suspicious title
Source: file:///C:/Users/user/Desktop/ATT01313.html Tab title: Sign in to your account
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\ATT01313.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,8683752826181861584,16217120072487098425,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,8683752826181861584,16217120072487098425,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61A9A949-1A44.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\7e8d975c-c945-4df3-8ccc-3f4ec186e193.tmp Jump to behavior
Source: classification engine Classification label: mal60.phis.winHTML@38/288@10/11
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\6724_1565279191\LICENSE.txt Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532945 Sample: ATT01313.html Startdate: 02/12/2021 Architecture: WINDOWS Score: 60 20 cs1100.wpc.omegacdn.net 2->20 22 aadcdn.msftauth.net 2->22 36 Yara detected HtmlPhish10 2->36 38 HTML document with suspicious title 2->38 40 Phishing site detected (based on image similarity) 2->40 42 Phishing site detected (based on logo template match) 2->42 7 chrome.exe 16 474 2->7         started        signatures3 process4 dnsIp5 24 192.168.2.1 unknown unknown 7->24 26 192.168.2.4 unknown unknown 7->26 28 2 other IPs or domains 7->28 14 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 7->14 dropped 16 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 7->16 dropped 18 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 7->18 dropped 11 chrome.exe 26 7->11         started        file6 process7 dnsIp8 30 clients.l.google.com 142.250.203.110, 443, 49712, 56775 GOOGLEUS United States 11->30 32 googlehosted.l.googleusercontent.com 142.250.203.97, 443, 49758 GOOGLEUS United States 11->32 34 13 other IPs or domains 11->34
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.203.110
 clients.l.google.com United States
15169 GOOGLEUS false
104.18.11.207
 maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
172.217.168.45
 accounts.google.com United States
15169 GOOGLEUS false
142.250.203.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
152.199.23.37
 cs1100.wpc.omegacdn.net United States
15133 EDGECASTUS false
104.16.18.94
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1
192.168.2.4
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
cs1100.wpc.omegacdn.net 152.199.23.37 true
accounts.google.com 172.217.168.45 true
cdnjs.cloudflare.com 104.16.18.94 true
maxcdn.bootstrapcdn.com 104.18.11.207 true
clients.l.google.com 142.250.203.110 true
googlehosted.l.googleusercontent.com 142.250.203.97 true
clients2.googleusercontent.com unknown unknown
clients2.google.com unknown unknown
code.jquery.com unknown unknown
aadcdn.msftauth.net unknown unknown
login.microsoftonline.com unknown unknown
aadcdn.msauth.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392 false
    		high
    https://aadcdn.msftauth.net/shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3945.png false
    • Avira URL Cloud: safe
    		 unknown
    https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_7916a894ebde7d29c2cc29b267f1299f.jpg false
    • Avira URL Cloud: safe
    		 unknown
    https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico false
    • URL Reputation: safe
    		 unknown
    https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
      		high
      https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js false
        		high
        https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg false
        • URL Reputation: safe
        		 unknown
        https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg false
        • Avira URL Cloud: safe
        		 unknown
        https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js false
          		high
          https://clients2.googleusercontent.com/crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx false
            		high
            https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_lgjnfq3xbrj5zvj5ionvww2.css false
            • Avira URL Cloud: safe
            		 unknown
            https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
              		high
              https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg false
              • Avira URL Cloud: safe
              		 unknown
              https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo.png false
              • Avira URL Cloud: safe
              		 unknown
              https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_ktc4wemsewhydsbdjhhsja2.js false
              • Avira URL Cloud: safe
              		 unknown
              https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg false
              • Avira URL Cloud: safe
              		 unknown
              https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_kfhrfyfy-sm2tmkm5ficcw2.css false
              • Avira URL Cloud: safe
              		 unknown
              https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/jquery.3.5.min_dc940oomzau4rsu8qesnvg2.js false
              • Avira URL Cloud: safe
              		 unknown
              file:///C:/Users/user/Desktop/ATT01313.html true
                		low
                https://aadcdn.msftauth.net/shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.png false
                • Avira URL Cloud: safe
                		 unknown