Loading... Additional Content is being loaded

Windows Analysis Report
http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

Overview

General Information

Sample URL:	http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl
Analysis ID:	1467885
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected HtmlPhish64

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	Avira URL Cloud: detection malicious, Label: phishing
Source: http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gstyles.css	Avira URL Cloud: Label: phishing
Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/images/download_afD_icon.ico	Avira URL Cloud: Label: phishing
Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gform.css	Avira URL Cloud: Label: phishing

Phishing

AI detected phishing page

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev

LLM: Score: 9 brands: Yahoo Reasons: The URL 'https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev' does not match the legitimate domain 'yahoo.com'. The page prominently displays a login form asking for a password, which is a common phishing tactic. The domain 'r2.dev' is suspicious and not associated with Yahoo. The use of a subdomain and a long, complex URL is another common social engineering technique to mislead users. There is no CAPTCHA present, which is often used by legitimate sites to prevent automated attacks. Overall, the combination of these factors strongly suggests that this is a phishing site. DOM: 0.0.pages.csv

Yara detected HtmlPhish64

Source: Yara match

File source: 0.0.pages.csv, type: HTML

HTML body contains low number of good links

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: Title: Yahoo Mail | Sign in does not match URL

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: <input type="password" .../> found

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /gsecondcheck.html?usr=ouwxfmmtalwl HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /gform.css HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /gstyles.css HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2019/09/yahoo-logo-1.png HTTP/1.1Host: logodownload.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/download_afD_icon.ico HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json?token=5eaf0700b2c0d2 HTTP/1.1Host: ipinfo.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, /; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://pub-431046b43b84431ea1b4a212cd34e302.r2.devSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2019/09/yahoo-logo-1.png HTTP/1.1Host: logodownload.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /json?token=5eaf0700b2c0d2 HTTP/1.1Host: ipinfo.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /gsecondcheck.html?usr=ouwxfmmtalwl HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: pub-431046b43b84431ea1b4a212cd34e302.r2.dev
Source: global traffic	DNS traffic detected: DNS query: pro.fontawesome.com
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: logodownload.org
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 22:30:28 GMTContent-Type: text/htmlContent-Length: 27150Connection: closeServer: cloudflareCF-RAY: 89e28f5d68df423a-EWR

Source: chromecache_56.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
Source: chromecache_57.2.dr	String found in binary or memory: https://api.emailjs.com
Source: chromecache_56.2.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/
Source: chromecache_57.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin
Source: chromecache_57.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin/account
Source: chromecache_57.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin/templates
Source: chromecache_56.2.dr	String found in binary or memory: https://dashboard.emailjs.com/templates
Source: chromecache_55.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_52.2.dr	String found in binary or memory: https://fontawesome.com
Source: chromecache_52.2.dr	String found in binary or memory: https://fontawesome.com/license
Source: chromecache_56.2.dr	String found in binary or memory: https://ipinfo.io
Source: chromecache_56.2.dr	String found in binary or memory: https://ipinfo.io/json?token=5eaf0700b2c0d2
Source: chromecache_56.2.dr	String found in binary or memory: https://logodownload.org/wp-content/uploads/2019/09/yahoo-logo-1.png
Source: chromecache_56.2.dr	String found in binary or memory: https://mail.yahoo.com
Source: chromecache_56.2.dr	String found in binary or memory: https://pro.fontawesome.com/releases/v5.10.0/css/all.css
Source: chromecache_55.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.win@17/22@18/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2016,i,760030498250869216,11143219381644743243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2016,i,760030498250869216,11143219381644743243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.185.68	www.google.com	United States		15169	GOOGLEUS	false
104.18.2.35	pub-431046b43b84431ea1b4a212cd34e302.r2.dev	United States		13335	CLOUDFLARENETUS	true
104.26.7.17	logodownload.org	United States		13335	CLOUDFLARENETUS	false
104.26.6.17	unknown	United States		13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false

Private

IP
192.168.2.4
192.168.2.5

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
www.google.com	142.250.185.68	true
logodownload.org	104.26.7.17	true
pub-431046b43b84431ea1b4a212cd34e302.r2.dev	104.18.2.35	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
cdn.jsdelivr.net	unknown	unknown
pro.fontawesome.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	true		unknown
https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gstyles.css	true	Avira URL Cloud: phishing	unknown
http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	true		unknown
https://logodownload.org/wp-content/uploads/2019/09/yahoo-logo-1.png	false	Avira URL Cloud: safe	unknown
https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/images/download_afD_icon.ico	true	Avira URL Cloud: phishing	unknown
https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gform.css	true	Avira URL Cloud: phishing	unknown
https://ipinfo.io/json?token=5eaf0700b2c0d2	false	Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 49	ASCII text, with CRLF line terminators	726EF0647391ED5EFC9076BCDB91C606	5BDEE0E3E5C9B14CE2F6D9CB34A1EB056B0B51EE	0F549EC9F7ABAAF6409BF193A6156746C92DF5FF979C66A378F2E73E616C8533
Chrome Cache Entry: 50	ASCII text, with CRLF line terminators	52ECF9BBF69E5BB6EA38C281C8DE64DF	24408727238F2D74888BC2B4DCDB4409BA7B508B	B76CCCD789FBC73288F948C24B4E2C311B8AA7FEDFB026E20B76509F99193F4B
Chrome Cache Entry: 51	PNG image data, 2160 x 599, 8-bit/color RGBA, non-interlaced	8F78102F8FE4467EA5AF76657DD90891	2CCA9300ABC18E5D22172A146EEBB32B44764489	DD5A09D5898D5480D063E1833C4D9BC3F509F3D7C672E0C0E973BB061A694AE2
Chrome Cache Entry: 52	ASCII text, with very long lines (65393)	AA1272633E7E552395D147A499BAD186	DDBCCB0011DD4868A013B1DCBDB836B7213EB41D	2AF905D92CFD34B5413126A54F639DA408166CBBCB54318E413AD5E10B5BF6EC
Chrome Cache Entry: 53	JSON data	D362ABFA435FB75BBDCB2E194D14DC4F	E5DEC1FABE990767DB2966E945BF08A269130933	EE7C9F0B3E011AC99A18CC6EC81AC78F25DC57CFE01CB69B99B7A45E5D8927D0
Chrome Cache Entry: 54	ASCII text, with very long lines (32058)	C9F5AEECA3AD37BF2AA006139B935F0A	1055018C28AB41087EF9CCEFE411606893DABEA2	87083882CC6015984EB0411A99D3981817F5DC5C90BA24F0940420C5548D82DE
Chrome Cache Entry: 55	HTML document, ASCII text, with very long lines (611)	46DD133EE00DC1BAE5E4EEBA7B88432F	8AF86A4AC91CE48C062216FB94A6E1D57618A19B	9EB52EE46C7AB5EA4CA0982415DA99FDED1B7D7354F75E50847BDAE6CB44EB66
Chrome Cache Entry: 56	HTML document, ASCII text, with CRLF line terminators	167C14212AB66C838DA881E5FAF380E1	D8ACB8C82BC33E0CE92714AD520AEB633E258AF4	93D44944EB748CC718B13265D2BAB5A839A966D91FE91BC6439ABF2A65A983D3
Chrome Cache Entry: 57	ASCII text, with very long lines (2058), with no line terminators	AAF4B4C066039688024B3EB28B99260D	3D7499D713898A2798F449D8B3528D4094475208	249F5139F01396E20B067FBE6DB17315981FB1C36C64D64DF224BCF0F8750EAB
Chrome Cache Entry: 58	ASCII text, with no line terminators	7BB7122B943F1A90979012260A7198F0	89E353A31F28A60AC1F8E9A642501D612CDE4111	917D709AA3A7011EBB1D9FD1196D1D37E711F03BFC83E5355E900BF092DE34A0
Chrome Cache Entry: 59	PNG image data, 2160 x 599, 8-bit/color RGBA, non-interlaced	8F78102F8FE4467EA5AF76657DD90891	2CCA9300ABC18E5D22172A146EEBB32B44764489	DD5A09D5898D5480D063E1833C4D9BC3F509F3D7C672E0C0E973BB061A694AE2
Chrome Cache Entry: 60	JSON data	D362ABFA435FB75BBDCB2E194D14DC4F	E5DEC1FABE990767DB2966E945BF08A269130933	EE7C9F0B3E011AC99A18CC6EC81AC78F25DC57CFE01CB69B99B7A45E5D8927D0

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	Avira URL Cloud: detection malicious, Label: phishing
Source: http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gstyles.css	Avira URL Cloud: Label: phishing
Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/images/download_afD_icon.ico	Avira URL Cloud: Label: phishing
Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gform.css	Avira URL Cloud: Label: phishing

Phishing

AI detected phishing page

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev

LLM: Score: 9 brands: Yahoo Reasons: The URL 'https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev' does not match the legitimate domain 'yahoo.com'. The page prominently displays a login form asking for a password, which is a common phishing tactic. The domain 'r2.dev' is suspicious and not associated with Yahoo. The use of a subdomain and a long, complex URL is another common social engineering technique to mislead users. There is no CAPTCHA present, which is often used by legitimate sites to prevent automated attacks. Overall, the combination of these factors strongly suggests that this is a phishing site. DOM: 0.0.pages.csv

Yara detected HtmlPhish64

Source: Yara match

File source: 0.0.pages.csv, type: HTML

HTML body contains low number of good links

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: Title: Yahoo Mail | Sign in does not match URL

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: <input type="password" .../> found

Source: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	TCP traffic detected without corresponding DNS query: 87.248.205.0
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /gsecondcheck.html?usr=ouwxfmmtalwl HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /gform.css HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /gstyles.css HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2019/09/yahoo-logo-1.png HTTP/1.1Host: logodownload.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/download_afD_icon.ico HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json?token=5eaf0700b2c0d2 HTTP/1.1Host: ipinfo.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, /; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://pub-431046b43b84431ea1b4a212cd34e302.r2.devSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2019/09/yahoo-logo-1.png HTTP/1.1Host: logodownload.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /json?token=5eaf0700b2c0d2 HTTP/1.1Host: ipinfo.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /gsecondcheck.html?usr=ouwxfmmtalwl HTTP/1.1Host: pub-431046b43b84431ea1b4a212cd34e302.r2.devConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: pub-431046b43b84431ea1b4a212cd34e302.r2.dev
Source: global traffic	DNS traffic detected: DNS query: pro.fontawesome.com
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: logodownload.org
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 22:30:28 GMTContent-Type: text/htmlContent-Length: 27150Connection: closeServer: cloudflareCF-RAY: 89e28f5d68df423a-EWR

Source: chromecache_56.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
Source: chromecache_57.2.dr	String found in binary or memory: https://api.emailjs.com
Source: chromecache_56.2.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/
Source: chromecache_57.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin
Source: chromecache_57.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin/account
Source: chromecache_57.2.dr	String found in binary or memory: https://dashboard.emailjs.com/admin/templates
Source: chromecache_56.2.dr	String found in binary or memory: https://dashboard.emailjs.com/templates
Source: chromecache_55.2.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: chromecache_52.2.dr	String found in binary or memory: https://fontawesome.com
Source: chromecache_52.2.dr	String found in binary or memory: https://fontawesome.com/license
Source: chromecache_56.2.dr	String found in binary or memory: https://ipinfo.io
Source: chromecache_56.2.dr	String found in binary or memory: https://ipinfo.io/json?token=5eaf0700b2c0d2
Source: chromecache_56.2.dr	String found in binary or memory: https://logodownload.org/wp-content/uploads/2019/09/yahoo-logo-1.png
Source: chromecache_56.2.dr	String found in binary or memory: https://mail.yahoo.com
Source: chromecache_56.2.dr	String found in binary or memory: https://pro.fontawesome.com/releases/v5.10.0/css/all.css
Source: chromecache_55.2.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.win@17/22@18/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2016,i,760030498250869216,11143219381644743243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2016,i,760030498250869216,11143219381644743243,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected