Windows Analysis Report
https://officsccounts.com/

Overview

General Information

Sample URL:	https://officsccounts.com/
Analysis ID:	1592309
Infos:

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected HtmlPhish10

AI detected suspicious URL

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML title does not match URL

Invalid 'forgot password' link found

Invalid 'sign-in options' or 'sign-up' link found

Stores files to the Windows start menu directory

Suspicious form URL found

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://officsccounts.com/

Avira URL Cloud: detection malicious, Label: phishing

Antivirus detection for URL or domain

Source: https://officsccounts.com/favicon.ico	Avira URL Cloud: Label: phishing
Source: https://officsccounts.com/prohqcker2.php	Avira URL Cloud: Label: phishing
Source: https://officsccounts.com/prohqcker.php	Avira URL Cloud: Label: phishing
Source: https://officsccounts.com/arrow_left.svg	Avira URL Cloud: Label: phishing

Phishing

AI detected phishing page

Source: https://officsccounts.com/	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'officsccounts.com' does not match the legitimate domain name for Microsoft., The URL contains a misspelling of 'office', which is a common tactic used in phishing to deceive users., The domain 'officsccounts.com' is not a recognized or legitimate domain associated with Microsoft., The presence of an unusual email input field 'fr7jcd@rfcbhhd.co' suggests potential phishing activity. DOM: 0.0.pages.csv
Source: https://officsccounts.com/index2.php	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'officsccounts.com' does not match the legitimate domain 'microsoft.com'., The URL contains a misspelling of 'office', which is a common tactic used in phishing to deceive users., The domain 'officsccounts.com' is not a recognized Microsoft domain and is suspicious., The presence of a password input field ('Entrer le mot de passe') suggests an attempt to capture sensitive information. DOM: 2.1.pages.csv
Source: https://officsccounts.com/index3.php	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'officsccounts.com' does not match the legitimate domain for Microsoft., The URL contains a misspelling of 'office', which is a common tactic in phishing attempts., The domain 'officsccounts.com' is not a recognized Microsoft domain and is suspicious., The presence of input fields related to login (e.g., 'Gardez-moi connect', 'Mot de passe oubli?') on a non-legitimate domain increases the risk of phishing. DOM: 3.2.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_88, type: DROPPED

AI detected suspicious URL

Source: URL	Joe Sandbox AI: AI detected Brand spoofing attempt in URL: https://officsccounts.com
Source: URL	Joe Sandbox AI: AI detected Typosquatting in URL: https://officsccounts.com

HTML body contains low number of good links

Source: https://officsccounts.com/	HTTP Parser: Number of links: 0
Source: https://officsccounts.com/index2.php	HTTP Parser: Number of links: 0
Source: https://officsccounts.com/index3.php	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://officsccounts.com/	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://officsccounts.com/index2.php	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://officsccounts.com/index3.php	HTTP Parser: Title: Sign in to your account does not match URL

Invalid 'forgot password' link found

Source: https://officsccounts.com/index3.php

HTTP Parser: Invalid link: rinitialisez-le maintenant.

Invalid 'sign-in options' or 'sign-up' link found

Source: https://officsccounts.com/

HTTP Parser: Invalid link: Crer une!

Suspicious form URL found

Source: https://officsccounts.com/	HTTP Parser: Form action: prohqcker.php
Source: https://officsccounts.com/index2.php	HTTP Parser: Form action: prohqcker2.php
Source: https://officsccounts.com/index3.php	HTTP Parser: Form action: prohqcker3.php

Source: https://officsccounts.com/index2.php	HTTP Parser: <input type="password" .../> found
Source: https://officsccounts.com/index3.php	HTTP Parser: <input type="password" .../> found

Source: https://officsccounts.com/	HTTP Parser: No <meta name="author".. found
Source: https://officsccounts.com/index2.php	HTTP Parser: No <meta name="author".. found
Source: https://officsccounts.com/index3.php	HTTP Parser: No <meta name="author".. found

Source: https://officsccounts.com/	HTTP Parser: No <meta name="copyright".. found
Source: https://officsccounts.com/index2.php	HTTP Parser: No <meta name="copyright".. found
Source: https://officsccounts.com/index3.php	HTTP Parser: No <meta name="copyright".. found

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044230 - Severity 1 - ET PHISHING Prohqcker Phish Kit : 52.77.229.158:443 -> 192.168.2.5:61360
Source: Network traffic	Suricata IDS: 2044230 - Severity 1 - ET PHISHING Prohqcker Phish Kit : 52.77.229.158:443 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2044230 - Severity 1 - ET PHISHING Prohqcker Phish Kit : 52.77.229.158:443 -> 192.168.2.5:61443

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:61328 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:54363 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://officsccounts.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: officsccounts.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /index2.php HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://officsccounts.com/prohqcker.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A
Source: global traffic	HTTP traffic detected: GET /arrow_left.svg HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://officsccounts.com/index2.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A
Source: global traffic	HTTP traffic detected: GET /arrow_left.svg HTTP/1.1Host: officsccounts.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A
Source: global traffic	HTTP traffic detected: GET /index3.php HTTP/1.1Host: officsccounts.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://officsccounts.com/index2.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: officsccounts.com
Source: global traffic	DNS traffic detected: DNS query: logincdn.msftauth.net

Source: unknown

HTTP traffic detected: POST /prohqcker.php HTTP/1.1Host: officsccounts.comConnection: keep-aliveContent-Length: 25Cache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://officsccounts.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://officsccounts.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_8owwt4u-33ps0wawi7tmow2
Source: chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_drcggiwi0cys
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.s
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ed9c9eb0dce17d752bedea6b5acda6d9.
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.
Source: chromecache_98.2.dr, chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_NnFX4S8X6vb-OgGnD82WNA2.js
Source: chromecache_98.2.dr, chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_f3782
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pfetchsessionsprogress_85a
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=02dedac913434497925d
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://login.live.com/gls.srf?urlID=WinLiveTermsOfUse&mkt=EN-US&uaid=02dedac913434497925dd1
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ed9c9eb0dce17d752bedea6b5acda
Source: chromecache_92.2.dr	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e9

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61371
Source: unknown	Network traffic detected: HTTP traffic on port 54444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61384
Source: unknown	Network traffic detected: HTTP traffic on port 61384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61360
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54444
Source: unknown	Network traffic detected: HTTP traffic on port 61359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61359
Source: unknown	Network traffic detected: HTTP traffic on port 61371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: classification engine

Classification label: mal84.phis.win@16/52@8/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=1980,i,4063316755708107146,3631400609064035866,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://officsccounts.com/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=1980,i,4063316755708107146,3631400609064035866,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.77.229.158	officsccounts.com	United States	16509	AMAZON-02US	true

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true
www.google.com	142.250.185.228	true
officsccounts.com	52.77.229.158	true
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true
logincdn.msftauth.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://officsccounts.com/prohqcker2.php	true	Avira URL Cloud: phishing	unknown
https://officsccounts.com/index3.php	true		unknown
https://officsccounts.com/	true		unknown
https://officsccounts.com/favicon.ico	true	Avira URL Cloud: phishing	unknown
https://officsccounts.com/arrow_left.svg	true	Avira URL Cloud: phishing	unknown
https://officsccounts.com/index2.php	true		unknown
https://officsccounts.com/prohqcker.php	true	Avira URL Cloud: phishing	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 22:54:39 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A5EF7C3B2714BD799C68287441C156CE	6D7346B889AC90100ED7ACF438BBB2F4B916A659	CA9DD52C4D949F86FF859A561046938CF87C0D9400B5BF440173E9DA63A71CD4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 22:54:38 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A52A5D95ACB7227D9AF2BF567C80A017	0F821F12287248F9B611519CA11D92592D2B34F9	7F753F62E3147762805AFC34C337256E29A3C5CC069F8AE3B95E284BB79516C3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	0EB32E751779CF3BBEE60383CD848741	A160B045F0CA4C3F72F69B25D437389B24B3F699	7874AF08F59BEB31E3F996EA0CAB09CCA46698E0E71440E6E6948C9BB3333F95
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 22:54:38 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A8537F639B9907E8BD4D68A618F31E0E	4B4DA4E39693F1F33F734B080CEC2B7624034A29	023F205D1080402399AC846D37EF6BB18FA1BE3326752548E8BD5E2A0BD9BBC0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 22:54:39 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	5B3CB4AF01E2B826294D5663E1F271BD	C1F3CEA5BA490C716E0AA1B02241405D3A6F40AD	8AC54FF5EB57C8A442CF85AF128DA76E47DD5AD5A4A732F02A437D4BEFE131D5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 22:54:38 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	A7C46FCE9877DF403D1C0D73BF3B1EB9	5A49DE33A1AEE3C52670E9EEBC196FF61962DCAA	3CA30C72A324D810BF1D7FF8BFB16297DD2A56E78EE21274D8B6C64F0C50AACC
Chrome Cache Entry: 100	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 402757	DA5704439BE09695EAC53F186510C2DC	06C0DF31E93F8D55CF71F2239003D72C3E8748BB	37320BA5268459126EA8170F1E68FD2A4172A1B8A953678248300FA6B4F9FE73
Chrome Cache Entry: 101	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
Chrome Cache Entry: 102	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 103	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592	4761405717E938D7E7400BB15715DB1E	76FED7C229D353A27DB3257F5927C1EAF0AB8DE9	F7ED91A1DAB5BB2802A7A3B3890DF4777588CCBE04903260FBA83E6E64C90DDF
Chrome Cache Entry: 104	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
Chrome Cache Entry: 105	HTML document, ASCII text, with no line terminators	97B8EF0B75EED20B15F1B0D9182B8685	53467E0C9CAB0729C111D645C3A7F532A2C10CDF	218DDE6C7862D962277B13043A5DCF9249252FE5B4F2FD05E0E1B005D56B4530
Chrome Cache Entry: 106	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 110586	F4ADBF9C60A3EF95809A6008F6764D08	B55C98C403B111B494C1ECE263DC06EABC0AB075	6A59A4F890EA26EF050B83D0722AAFC3AD70DDBCE706806381C4F159A5DB7497
Chrome Cache Entry: 79	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 109863	7BF1190207067486998DA6F9F9BCF0CF	E3EFB1DA875AAF807E812B3B6C0621ADAA7284F5	A4457D7B477E07DE0055E79B31B5079CD04DF696E52EB799BE410F914573D142
Chrome Cache Entry: 80	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 47722	B6A6E43FE3E1A97C0C00C395A5A24472	9E2F07494F7BDF7C7B592E5407780EB51F87F97D	D59EFC3A1A9202A782892522221DFE9365E4BB2B6119DCB68CBF47BDA55FC435
Chrome Cache Entry: 81	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592	4761405717E938D7E7400BB15715DB1E	76FED7C229D353A27DB3257F5927C1EAF0AB8DE9	F7ED91A1DAB5BB2802A7A3B3890DF4777588CCBE04903260FBA83E6E64C90DDF
Chrome Cache Entry: 82	ASCII text, with no line terminators	903747EA4323C522742842A52CE710C9	9F806EA4288867A31A4AD53AC171AA4029DF182B	4BD8B60F91849C936AE45615145A7B7BE2CF803322A30BABBAE7267A142CA5BB
Chrome Cache Entry: 83	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 15748	E02CDB1D0B0E320F2B5396C278A30697	68F4D6686B86C978D2B8D195FD0E1C55F4732CD6	7D06CA210F327C02A8336ABC14E958AE373E31AAEC2CE311430EA732797AC9AD
Chrome Cache Entry: 84	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 109863	7BF1190207067486998DA6F9F9BCF0CF	E3EFB1DA875AAF807E812B3B6C0621ADAA7284F5	A4457D7B477E07DE0055E79B31B5079CD04DF696E52EB799BE410F914573D142
Chrome Cache Entry: 85	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 15748	E02CDB1D0B0E320F2B5396C278A30697	68F4D6686B86C978D2B8D195FD0E1C55F4732CD6	7D06CA210F327C02A8336ABC14E958AE373E31AAEC2CE311430EA732797AC9AD
Chrome Cache Entry: 86	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113440	C7E3618F4D2E9F20C1710E3491667997	44F4A7AF936C91125F47709E4FD536ADDB001F2A	C5A35BF7A2C2A0D3D63ADAE338FC13A2E50ECAD351B3E25B38E682464EB81C6B
Chrome Cache Entry: 87	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864	0E176276362B94279A4492511BFCBD98	389FE6B51F62254BB98939896B8C89EBEFFE2A02	9A2C174AE45CAC057822844211156A5ED293E65C5F69E1D211A7206472C5C80C
Chrome Cache Entry: 88	HTML document, Unicode text, UTF-8 text, with very long lines (526), with CRLF line terminators	BB6B0A303714D33882D46384162A37D3	DDCD41029EA81D69783388A2338E28C618528A7F	BDA68EE118E7D09767BFFD537F9EADE790CAB23B6CAEB88BA63124AD8346ACA9
Chrome Cache Entry: 89	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113440	C7E3618F4D2E9F20C1710E3491667997	44F4A7AF936C91125F47709E4FD536ADDB001F2A	C5A35BF7A2C2A0D3D63ADAE338FC13A2E50ECAD351B3E25B38E682464EB81C6B
Chrome Cache Entry: 90	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 91	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864	0E176276362B94279A4492511BFCBD98	389FE6B51F62254BB98939896B8C89EBEFFE2A02	9A2C174AE45CAC057822844211156A5ED293E65C5F69E1D211A7206472C5C80C
Chrome Cache Entry: 92	HTML document, Unicode text, UTF-8 text, with very long lines (542), with CRLF line terminators	573804DCBD443D0344D86AC925A832D8	F533E97DEEFC7CA344A787D0C1486942B5407D22	5C30F5D52EBC38B364F0833F5BD7F7B75108150A7A1308C837335A424409EA56
Chrome Cache Entry: 93	ASCII text, with no line terminators	344EB8D19F5C0A3435EF32FD9601F1FB	E082EB1D89D91CC1A25A1D510268E576109DA07E	B44289B54959639FCA6A742F7CC2E2A5AF9C6E7B73C1B3E25227CA9790F3A587
Chrome Cache Entry: 94	ASCII text, with no line terminators	344EB8D19F5C0A3435EF32FD9601F1FB	E082EB1D89D91CC1A25A1D510268E576109DA07E	B44289B54959639FCA6A742F7CC2E2A5AF9C6E7B73C1B3E25227CA9790F3A587
Chrome Cache Entry: 95	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 402757	DA5704439BE09695EAC53F186510C2DC	06C0DF31E93F8D55CF71F2239003D72C3E8748BB	37320BA5268459126EA8170F1E68FD2A4172A1B8A953678248300FA6B4F9FE73
Chrome Cache Entry: 96	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 47722	B6A6E43FE3E1A97C0C00C395A5A24472	9E2F07494F7BDF7C7B592E5407780EB51F87F97D	D59EFC3A1A9202A782892522221DFE9365E4BB2B6119DCB68CBF47BDA55FC435
Chrome Cache Entry: 97	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651	9F368BC4580FED907775F31C6B26D6CF	E393A40B3E337F43057EEE3DE189F197AB056451	7ECBBA946C099539C3D9C03F4B6804958900E5B90D48336EEA7E5A2ED050FA36
Chrome Cache Entry: 98	HTML document, Unicode text, UTF-8 text, with very long lines (542), with CRLF line terminators	5985DB26D972DF98D145B0CCE3D0A53A	BC0DCD9436E8FC832632CDC1D1B47AC13B6669CA	3A56DFCD8FAF9AA52A46F89AD32E7E56AB6C93A879BC3EDA9F734E668B830A43
Chrome Cache Entry: 99	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651	9F368BC4580FED907775F31C6B26D6CF	E393A40B3E337F43057EEE3DE189F197AB056451	7ECBBA946C099539C3D9C03F4B6804958900E5B90D48336EEA7E5A2ED050FA36

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://officsccounts.com/

Avira URL Cloud: detection malicious, Label: phishing

Antivirus detection for URL or domain

Source: https://officsccounts.com/favicon.ico	Avira URL Cloud: Label: phishing
Source: https://officsccounts.com/prohqcker2.php	Avira URL Cloud: Label: phishing
Source: https://officsccounts.com/prohqcker.php	Avira URL Cloud: Label: phishing
Source: https://officsccounts.com/arrow_left.svg	Avira URL Cloud: Label: phishing

Phishing

AI detected phishing page

Source: https://officsccounts.com/	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'officsccounts.com' does not match the legitimate domain name for Microsoft., The URL contains a misspelling of 'office', which is a common tactic used in phishing to deceive users., The domain 'officsccounts.com' is not a recognized or legitimate domain associated with Microsoft., The presence of an unusual email input field 'fr7jcd@rfcbhhd.co' suggests potential phishing activity. DOM: 0.0.pages.csv
Source: https://officsccounts.com/index2.php	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'officsccounts.com' does not match the legitimate domain 'microsoft.com'., The URL contains a misspelling of 'office', which is a common tactic used in phishing to deceive users., The domain 'officsccounts.com' is not a recognized Microsoft domain and is suspicious., The presence of a password input field ('Entrer le mot de passe') suggests an attempt to capture sensitive information. DOM: 2.1.pages.csv
Source: https://officsccounts.com/index3.php	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'officsccounts.com' does not match the legitimate domain for Microsoft., The URL contains a misspelling of 'office', which is a common tactic in phishing attempts., The domain 'officsccounts.com' is not a recognized Microsoft domain and is suspicious., The presence of input fields related to login (e.g., 'Gardez-moi connect', 'Mot de passe oubli?') on a non-legitimate domain increases the risk of phishing. DOM: 3.2.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_88, type: DROPPED

AI detected suspicious URL

Source: URL	Joe Sandbox AI: AI detected Brand spoofing attempt in URL: https://officsccounts.com
Source: URL	Joe Sandbox AI: AI detected Typosquatting in URL: https://officsccounts.com

HTML body contains low number of good links

Source: https://officsccounts.com/	HTTP Parser: Number of links: 0
Source: https://officsccounts.com/index2.php	HTTP Parser: Number of links: 0
Source: https://officsccounts.com/index3.php	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://officsccounts.com/	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://officsccounts.com/index2.php	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://officsccounts.com/index3.php	HTTP Parser: Title: Sign in to your account does not match URL

Invalid 'forgot password' link found

Source: https://officsccounts.com/index3.php

HTTP Parser: Invalid link: rinitialisez-le maintenant.

Invalid 'sign-in options' or 'sign-up' link found

Source: https://officsccounts.com/

HTTP Parser: Invalid link: Crer une!

Suspicious form URL found

Source: https://officsccounts.com/	HTTP Parser: Form action: prohqcker.php
Source: https://officsccounts.com/index2.php	HTTP Parser: Form action: prohqcker2.php
Source: https://officsccounts.com/index3.php	HTTP Parser: Form action: prohqcker3.php

Source: https://officsccounts.com/index2.php	HTTP Parser: <input type="password" .../> found
Source: https://officsccounts.com/index3.php	HTTP Parser: <input type="password" .../> found

Source: https://officsccounts.com/	HTTP Parser: No <meta name="author".. found
Source: https://officsccounts.com/index2.php	HTTP Parser: No <meta name="author".. found
Source: https://officsccounts.com/index3.php	HTTP Parser: No <meta name="author".. found

Source: https://officsccounts.com/	HTTP Parser: No <meta name="copyright".. found
Source: https://officsccounts.com/index2.php	HTTP Parser: No <meta name="copyright".. found
Source: https://officsccounts.com/index3.php	HTTP Parser: No <meta name="copyright".. found

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044230 - Severity 1 - ET PHISHING Prohqcker Phish Kit : 52.77.229.158:443 -> 192.168.2.5:61360
Source: Network traffic	Suricata IDS: 2044230 - Severity 1 - ET PHISHING Prohqcker Phish Kit : 52.77.229.158:443 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2044230 - Severity 1 - ET PHISHING Prohqcker Phish Kit : 52.77.229.158:443 -> 192.168.2.5:61443

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.5:61328 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:54363 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://officsccounts.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: officsccounts.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /index2.php HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://officsccounts.com/prohqcker.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A
Source: global traffic	HTTP traffic detected: GET /arrow_left.svg HTTP/1.1Host: officsccounts.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://officsccounts.com/index2.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A
Source: global traffic	HTTP traffic detected: GET /arrow_left.svg HTTP/1.1Host: officsccounts.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A
Source: global traffic	HTTP traffic detected: GET /index3.php HTTP/1.1Host: officsccounts.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://officsccounts.com/index2.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: logged_in=1; email=fr7jcd%40rfcbhhd.co%0A

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: officsccounts.com
Source: global traffic	DNS traffic detected: DNS query: logincdn.msftauth.net

Source: unknown

Source: chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_8owwt4u-33ps0wawi7tmow2
Source: chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_drcggiwi0cys
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.s
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ed9c9eb0dce17d752bedea6b5acda6d9.
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.
Source: chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.
Source: chromecache_98.2.dr, chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_NnFX4S8X6vb-OgGnD82WNA2.js
Source: chromecache_98.2.dr, chromecache_92.2.dr, chromecache_88.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_f3782
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pfetchsessionsprogress_85a
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=02dedac913434497925d
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://login.live.com/gls.srf?urlID=WinLiveTermsOfUse&mkt=EN-US&uaid=02dedac913434497925dd1
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a
Source: chromecache_98.2.dr, chromecache_92.2.dr	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ed9c9eb0dce17d752bedea6b5acda
Source: chromecache_92.2.dr	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e9

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61371
Source: unknown	Network traffic detected: HTTP traffic on port 54444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61384
Source: unknown	Network traffic detected: HTTP traffic on port 61384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61360
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54444
Source: unknown	Network traffic detected: HTTP traffic on port 61359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61359
Source: unknown	Network traffic detected: HTTP traffic on port 61371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: classification engine

Classification label: mal84.phis.win@16/52@8/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=1980,i,4063316755708107146,3631400609064035866,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://officsccounts.com/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=1980,i,4063316755708107146,3631400609064035866,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

ID:	1592309
Product:	CloudBasic
Start time:	00:53:37
Start date:	16.01.2025
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://officsccounts.com/

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Networking

System Summary

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://officsccounts.com/

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Networking

System Summary

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://officsccounts.com/