Loading ...

Play interactive tourEdit tour

Analysis Report http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==

Overview

General Information

Sample URL:http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==
Analysis ID:299395

Most interesting Screenshot:

Detection

HTMLPhisher
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Yara detected HtmlPhish_3

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6608 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6752 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6608 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htmJoeSecurity_HtmlPhish_3Yara detected HtmlPhish_3Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
      Source: http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==UrlScan: detection malicious, Label: phishing brand: microsoftPerma Link
      Antivirus detection for URL or domainShow sources
      Source: http://resa.credit-financebank.com/donc/dcn/J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW.php?_0TCmQy24bPvWNUnAGFd8q-OxErilDZsghR59LI3k6VatMYSKprjTAZduNvbSMtYceXlVKmz0pxGoPwHIgqODhas267CkLnFBfR8b1wUIPk2Snqfuo_ARgcL7OpV6vBDtEGWi45Zr80QXFhHl3MmCdbDl19_-5x2VcSiLAjoIJHvMCREug6Td3apsPFQr7kBYheOw4fN&data=bWNnaW5udEByZXNhLm5ldA==#SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
      Source: http://resa.credit-financebank.com/donc/dcn/J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW.php?_0TCmQy24bPvWNUnAGFd8q-OxErilDZsghR59LI3k6VatMYSKprjTAZduNvbSMtYceXlVKmz0pxGoPwHIgqODhas267CkLnFBfR8b1wUIPk2Snqfuo_ARgcL7OpV6vBDtEGWi45Zr80QXFhHl3MmCdbDl19_-5x2VcSiLAjoIJHvMCREug6Td3apsPFQr7kBYheOw4fN&data=bWNnaW5udEByZXNhLm5ldA==#ZvEN-4qpW4EbGy_yOv86eSV13_zGaFkWfWUaFXDQjWfsNCbbr8CvOmqNUNrYmZu5vset3RioD0Sph_xFiS_yx0w4l1oPGGp6yaQ4s2krNxjRepRf1-0RSPxIfWCzX1rJFEeiH2hLu96fAoA2KpylDaF7n9A26leFwFgrB7xXvKVe-gNJPIPiIQCIFC04Vj-01F0h8S2iSlashNext: Label: Fake Login Page type: Phishing & Social Engineering

      Phishing:

      barindex
      Phishing site detected (based on favicon image match)Show sources
      Source: http://resa.credit-financebank.com/donc/dcn/J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW.php?_0TCmQy24bPvWNUnAGFd8q-OxErilDZsghR59LI3k6VatMYSKprjTAZduNvbSMtYceXlVKmz0pxGoPwHIgqODhas267CkLnFBfR8b1wUIPk2Snqfuo_ARgcL7OpV6vBDtEGWi45Zr80QXFhHl3MmCdbDl19_-5x2VcSiLAjoIJHvMCREug6Td3apsPFQr7kBYheOw4fN&data=bWNnaW5udEByZXNhLm5ldA==#ZvEN-4qpW4EbGy_yOv86eSV13_zGaFkWfWUaFXDQjWfsNCbbr8CvOmqNUNrYmZu5vset3RioD0Sph_xFiS_yx0w4l1oPGGp6yaQ4s2krNxjRepRf1-0RSPxIfWCzX1rJFEeiH2hLu96fAoA2KpylDaF7n9A26leFwFgrB7xXvKVe-gNJPIPiIQCIFC04Vj-01F0h8S2iMatcher: Template: microsoft matched with high similarity
      Yara detected HtmlPhish_10Show sources
      Source: Yara matchFile source: 302494.0.links.csv, type: HTML
      Source: Yara matchFile source: 302494.pages.csv, type: HTML
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htm, type: DROPPED
      Yara detected HtmlPhish_3Show sources
      Source: Yara matchFile source: 302494.0.links.csv, type: HTML
      Source: Yara matchFile source: 302494.pages.csv, type: HTML
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htm, type: DROPPED
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:26 GMTserver: Apachex-powered-by: PHP/7.2.34expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheaccept-ranges: nonevary: Accept-Encodingcontent-encoding: gzipcontent-length: 6290content-type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 3c 6b 77 e2 38 b2 df e7 9c f9 0f 6e 76 ef 90 ec 04 02 e4 d1 79 34 bd 0b 84 74 48 93 84 0e e4 b9 67 4e 8e b0 65 50 b0 2d c7 36 af cc f6 4f ea 3f d1 bf ec 56 c9 f2 0b ec 40 cf 9d bd e7 9e 7b 96 ee 24 b6 54 2a 95 4a a5 52 55 a9 c4 cf 3f fd fc d3 87 a1 67 1a 8a c6 9c 6a ce f0 9c 9c a2 1a c4 75 ab b9 cb 4f 3d 7b 76 4e d5 f7 87 f5 51 e9 da cd 29 06 b1 06 d5 1c b5 72 1f 3f 0c 29 d1 3e fe fc 93 02 9f 0f 1e f3 0c fa b1 fb fd 1b fe 63 83 ef df 2c 85 f9 2f 96 e2 71 65 fe fd 1b 1f fb ef 8e 42 54 fc ab fa 05 96 f7 61 db 6f 2c 31 99 d4 23 ca d0 f3 ec 02 7d 19 b3 49 35 d7 e0 96 47 2d af d0 9b db 14 e8 f2 df aa 39 8f ce bc 6d 24 fa 58 51 87 c4 71 a9 57 bd e9 9d 16 0e 72 99 88 ee 0b 37 b5 42 83 9b 36 f1 58 df 88 e3 6a 35 ab 54 1b d0 64 53 8b 98 b4 9a 9b 30 3a b5 b9 e3 c5 a0 a7 4c f3 86 55 8d 4e 98 4a 0b e2 65 4b 61 16 f3 18 31 0a ae 4a 0c 5a 2d 17 4b 5b 8a 49 66 cc 1c 9b b2 a8 82 45 63 97 3a e2 9d 40 ff d5 39 75 b3 89 ed 38 64 60 92 58 af 16 2f a8 44 1d d2 ec 26 cd 99 cd 1c c0 19 b5 29 94 11 7a 79 50 0e d5 a9 e3 50 27 89 3e 2c dd 0e ba b0 b8 ab 3a cc f6 e4 7b 7a b7 d7 54 87 5e 87 31 5c a5 63 e5 e6 ba 5d 7d 76 35 e6 e2 48 b5 a2 3d b4 73 4a 88 76 3b 86 57 16 19 cc 1a 29 0e 35 aa 39 77 08 dc 56 c7 9e c2 00 5f 4e 19 02 55 d5 1c 33 c9 80 ba db 3a 99 60 69 11 7e 65 0c 8c f7 b9 e7 26 86 65 51 bf e7 78 47 3e 52 d5 75 b7 0d 3e 60 56 11 9e 72 b2 77 6f 6e c0 60 28 85 09 87 46 1f b6 a5 90 e3 bf 0f 7d ae cd 15 8d 78 a4 d0 67 96 56 cd 69 54 67 16 fd 64 f0 3e 31 dc 23 a5 4b 9d 09 75 4e a0 7e 4b 41 d0 86 eb 36 70 15 85 8b 49 ed 2b 6e f7 d0 d3 cb a7 97 17 a3 bd d6 e3 73 25 a7 88 0e 01 15 73 6d 83 cc 8f 94 be c1 d5 d1 71 30 c9 d0 a9 c6 26 1f 3f bc 2b 14 14 a5 50 88 1e 14 2c 8f d3 a2 82 5c c3 58 2d ef 48 f9 5d 30 e3 48 c9 f7 89 3a 1a 38 7c 6c 69 05 c1 c0 02 b2 c5 e1 46 7e 4b b1 c7 7d 83 a9 17 d4 1b 72 0d 48 8f 20 1b 3e 88 ac 51 be c2 3a c7 9e e4 08 22 38 e0 17 47 c2 6d 98 7b e8 15 96 14 ce 56 9c 20 d7 45 52 88 6d 1f 29 cc ad d9 76 dd 21 96 c6 ac 81 f2 75 cb 1f 35 56 47 08 e3 44 74 b1 5a f4 8d e3 1d 71 85 e9 47 8a 6b 12 c3 68 e1 38 6e 1c 23 64 c6 36 d4 06 cf 12 30 c2 13 87 56 d2 c7 21 40 94 cf bc b9 ff 3a 9c ba f7 15 d2 6d 1c 5e 27 06 b2 00 9b 86 7f 63 33 9c c8 45 9e 1f 29 63 a8 ff e5 65 cc bd 63 29 c5 fd 41 d1 9d 0c fe 4e dc 67 6d 44 5c 8d 68 ae 5f bd 09 d3 fe 61 3b 9c 6f 39 1a d0 19 a2 9b 0b e2 8e 52 47 2d 9f 15 d9 54 fc 16 e2 2a 28 fa a8 2c 7c 7e fe a9 28 97 25 f3 7e f7 a5 2c 10 3e 5c 2c c7 3f ff f4 15 40 a8 95 0a 21 a4 53 79 c7 4c 54 89 c4 f2 7c 68 66 0e 94 df 41 dd f9 ca f0 48 29 97 4a ff 75 8c 58 2c 3e 21 06 03 5e 52 45 22 ea 73 47 03 1d e8 71 3b 00 1e 5b a0 ba 93 28 63 80 06 d5 bd f5 20 1d 36 18 ae 09 aa
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:28 GMTserver: Apachelast-modified: Mon, 01 Jun 2020 02:40:10 GMTaccept-ranges: nonevary: Accept-Encodingcontent-encoding: gzipcontent-length: 17473content-type: text/cssData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 7d 0d 93 e3 b6 91 e8 5f e1 1b d7 96 77 12 89 8f a4 3e 47 2a 6f e5 ec e4 39 be b3 1d 57 ec cb dd 95 df 56 8a 23 71 46 bc a5 44 3d 92 9a d9 8d 4a ff fd e1 1b 0d a0 01 52 b3 eb 38 57 95 f3 c5 1e a1 9b 0d a0 bb f1 d1 40 37 7a d7 ed ab f3 43 7d e8 c6 0f f9 be ac 3e ac da fc d0 8e db a2 29 1f d6 e3 7d 3b ee 8a f7 dd b8 2d ff 56 8c f3 ed 7f 9f da 6e 95 26 c9 ab f5 f8 b9 b8 7f 57 76 38 f4 72 5f 6f 3f 9c f7 79 f3 58 1e 56 c9 25 6f ba 72 53 15 a3 bc 2d b7 c5 68 5b 74 79 59 b5 a3 87 f2 71 93 1f bb b2 3e d0 3f 4f 4d 31 7a a8 eb ae 68 46 bb 22 df d2 ff 3c 36 f5 e9 38 da e7 e5 61 b4 2f 0e a7 d1 21 7f 1a b5 c5 86 7d d1 9e f6 84 fc 87 f3 b6 6c 8f 55 fe 61 75 5f d5 9b 77 97 fc b4 2d eb d1 26 3f 3c e5 ed e8 d8 d4 8f 4d d1 b6 a3 27 52 6b ad 30 cb 43 55 1e 8a 31 fb 60 fd 54 d0 a6 e5 d5 38 af ca c7 c3 ea 3e 6f 0b 0a e5 84 56 87 ba 7b fd f3 86 70 a6 a9 ab f6 ed ad 22 71 a8 0f c5 7a 57 94 8f bb 8e f4 ee e7 5d b9 dd 16 87 b7 a3 ae d8 13 70 57 18 78 97 fc 7c 9f 6f de d1 be 1c b6 e3 4d 5d d5 cd aa 6b 08 87 8f 79 53 1c ba 4b be ca 49 8f 9e 08 73 56 bb 9a 34 e7 5c 9f 3a da 04 ca b6 fb fb e6 e7 ae ec aa e2 ed f9 be 6e 08 4f c6 f7 75 d7 d5 fb 55 7a 7c 1f 6d c9 9f c5 f6 72 3f 6a 49 f3 0e 8f 5c 82 cf bc 51 f7 75 b5 bd 6c 1f 0e bc b0 ed 3e 54 c5 aa ec 48 1f 37 97 5d 2a 0a 89 c8 56 59 b1 5f 0b 29 c5 f3 45 b1 8f 92 0b f9 f9 0e b4 78 f5 d9 c3 43 b2 e6 cd fe 2c 49 92 4b bb cf ab 0a 90 58 12 69 b7 27 d2 8a d3 11 94 2e 66 af d6 8c cd 92 4b eb 63 dd 96 54 72 ab a6 20 3c 22 1d f6 f2 9e 52 ea ea e3 6a 9c c4 b3 62 4f 89 9f 45 b7 49 49 46 8b ca fd a3 60 08 e1 52 fb f4 c8 04 b5 6a 88 f6 dc 9e 29 0f 1f aa fa 79 c5 a5 72 e1 aa 25 75 31 25 7d 9c 26 c7 f7 97 5d 73 1e ef eb bf 11 86 be a7 2d 2e 0f 8f 2b 2a 68 22 11 5a b4 f6 14 2b 99 1f 09 49 55 53 7e ea ea cb a6 26 aa fd ee 7e 4b d4 ae 18 b5 f9 fe 68 0c a9 7d 7d a8 89 c4 37 c5 48 fd b5 d6 dc 22 ad ba dc 9f 48 17 0f a3 f2 70 3c 75 a3 fa d8 71 e5 27 2c 21 0a 3f a2 83 8c a8 4b 7e e6 82 28 0f 3b 32 3a 3b 46 41 fd 50 a3 8d 53 d2 cd 7b 2a db f2 be 2a 64 0d 9c e4 99 8d 5b a6 88 0f 75 b3 e7 aa 2a 30 76 64 42 88 58 43 7e ee 3e 1c 8b 2f 6e 78 f9 cd db 11 2c 24 43 ab e8 ac 32 22 ab 7d 49 0a cf 72 76 c8 8f c7 22 27 95 6c 8a 15 27 b2 de 9c 9a 96 74 e1 58 97 84 ad 8d a8 f2 67 32 62 72 d2 c6 ed 5b 58 b9 2a 3c 8b 8f b6 c5 43 7e aa 3a f1 d1 6a c5 24 f8 50 6f 4e ed b8 3c 1c c8 94 c1 be 73 cb 95 b2 ac 8f f9 76 4b 85 9a 5c 18 ea 19 ea e8 81 f0 21 af 2e b0 3f 9b 5d b1 79 47 04 6f 77 3d 27 b3 c3 0d 1d 94 4a 4b d4 f8 7c 6f d7 21 be 39 9c f6 f7 45 73 f3 96 b4 4e f0 86 35 6d dc 1e cb c3 18 0a df 8b 4f 26 06 13 ff 2c 1a ce f4 cf 10 03 e1 f9 66 87 8b 81 ca fd a1 2c aa ed 3a a4 ff f2 c3 ab 86 07 da 06 dd 7e 5e 32 de d0 66 54 58 97 bd 9f 6c 8b 4d dd e4 74 f6 c0 7a c4 54 97 75 89 28 a4 14 35 9d 21 db ba 2a
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:28 GMTserver: Apachelast-modified: Thu, 27 Jun 2019 18:24:46 GMTaccept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 276content-type: image/svg+xmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 95 51 3d 6f c3 20 10 fd 2b 88 ae e6 e0 08 d8 b8 b2 3d 74 ca 90 ae 1d ba 45 8a 6b 5b 22 1f aa 91 c9 cf 2f 67 3b 6e 87 2c 15 f0 80 bb 7b ef 9e a0 1a a7 8e dd cf fe 32 d6 bc 0f e1 f6 2a 65 8c 11 e2 0e ae df 9d d4 4a 29 99 2a 38 8b c3 29 f4 35 d7 86 b3 be 1d ba 3e 2c e7 69 68 e3 db f5 5e 73 c5 14 d3 26 4d de 54 61 08 be 6d 8e e3 d8 86 b1 92 cb ad ba 1d 43 cf 4e 35 7f 47 97 21 82 2d dc 04 ce 98 7d 01 39 16 7e 07 a5 c6 8c d0 09 b0 a5 a1 75 c8 33 d4 de 40 69 8c 98 71 4b cc 9c 55 e5 93 b3 af c1 fb 9a bf 18 45 83 cb bf bd 14 f1 b2 02 94 cd fd 53 fa 1e ff ef e3 ac 04 a0 41 01 aa c0 b4 0e 36 95 97 a4 47 9b 05 67 1d 11 d6 2c 66 33 67 c1 35 46 1b b1 49 9d da d8 47 40 3c 0e 98 4c 2e 3a 60 b5 4e 26 01 3f 52 03 93 0c cf 89 64 b4 b0 28 08 37 b5 5f 10 9b f0 16 7a f6 4c f4 b3 cd 0f c0 93 f2 73 01 02 00 00 Data Ascii: Q=o +=tEk["/g;n,{2*eJ)*8)5>,ih^s&MTamCN5G!-}9~u3@iqKUESA6Gg,f3g5FIG@<L.:`N&?Rd(7_zLs
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:28 GMTserver: Apachelast-modified: Thu, 27 Jun 2019 18:24:46 GMTaccept-ranges: nonevary: Accept-Encodingcontent-encoding: gzipcontent-length: 263content-type: image/svg+xmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 e5 53 cb 6e c3 20 10 fc 15 44 af 3c 96 9a 80 5d 81 a5 f4 9e 1f e8 cd 52 1c 1b c9 69 a2 82 42 3e bf 80 5d a9 51 ed 4b 2f 3d 94 c7 68 d9 65 d9 99 95 30 fe 36 a0 fb 79 7a f7 16 8f 21 5c 5f 38 8f 31 b2 58 b1 cb c7 c0 9f 01 80 a7 1b 18 45 77 0c a3 c5 42 61 34 f6 6e 18 c3 6c df 5c 1f 5f 2f 77 8b 01 01 12 2a 2d dc 9a e0 c2 d4 b7 9d f7 7d f0 86 cf 27 73 ed c2 88 4e 6e 9a 2c 7e 3a 95 81 d1 d1 e2 83 60 42 56 44 b1 7a a7 bb 64 83 26 33 42 9a 82 30 29 15 83 ba c9 4e 25 17 5c 42 0a 74 de c5 29 16 9c 43 40 58 dd 54 3f 73 e8 f7 9c c7 4a f4 ab d2 7e 85 84 26 0d 83 9d ec d6 1f a4 5b 2c 68 66 b1 5f 61 ae 93 de 46 aa 0d bd 34 d3 38 d4 7f d1 93 c7 9c c2 3f 1b bf 90 bd 41 ae 24 ad b4 78 51 7b 2e 48 e0 9f a8 16 b2 c8 2d a2 df 30 6f 4d fe 6b ed 27 41 1c 3b bf 93 03 00 00 Data Ascii: Sn D<]RiB>]QK/=he06yz!\_81XEwBa4nl\_/w*-}'sNn,~:`BVDzd&3B0)N%\Bt)C@XT?sJ~&[,hf_aF48?A$xQ{.H-0oMk'A;
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:28 GMTserver: Apachelast-modified: Thu, 27 Jun 2019 18:24:46 GMTaccept-ranges: nonevary: Accept-Encodingcontent-encoding: gzipcontent-length: 263content-type: image/svg+xmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 e5 53 c9 6e c3 20 10 fd 15 44 af 2c 43 4d c0 ae c0 52 7a cf 0f f4 66 29 ae 8d e4 2c 2a 28 e4 f3 0b d8 95 1a d5 be f4 d2 43 59 9e 86 19 86 79 6f 24 8c bf 0d e8 7e 9a ce de e2 31 84 eb 0b e7 31 46 16 2b 76 f9 18 f8 33 00 f0 74 03 a3 e8 8e 61 b4 58 28 8c c6 de 0d 63 98 ed 9b eb e3 eb e5 6e 31 20 40 42 a5 85 5b 13 5c 98 fa b6 f3 be 0f de f0 f9 64 ae 5d 18 d1 bb 9b 26 8b 9f 74 19 18 1d 2d 3e 08 26 64 45 14 ab 77 ba 4b 36 68 32 23 a4 29 08 93 52 31 a8 9b ec 54 72 c1 25 a4 40 e7 5d 9c 62 c1 39 04 84 d5 4d f5 33 87 7e cf 79 ac 44 bf 2a ed 57 48 68 d2 30 d8 c9 6e fd 41 ba c5 82 66 16 fb 15 e6 3a e9 6d a4 da d0 4b 33 8d 43 fd 17 3d 79 cc 29 fc b3 f1 0b d9 1b e4 4a d2 4a 8b 17 b5 a7 82 04 fe 89 6a 21 8b dc 22 fa 0d f3 d6 e4 bf d6 7e 02 35 24 1c 19 93 03 00 00 Data Ascii: Sn D,CMRzf),*(CYyo$~11F+v3taX(cn1 @B[\d]&t->&dEwK6h2#)R1Tr%@]b9M3~yD*WHh0nAf:mK3C=y)JJj!"~5$
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:29 GMTserver: Apachelast-modified: Mon, 01 Jun 2020 02:57:34 GMTaccept-ranges: nonevary: Accept-Encodingcontent-encoding: gzipcontent-length: 673content-type: image/svg+xmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 55 db 6e db 30 0c fd 15 c1 7d 69 1e ac 50 b2 ae 43 1c a0 37 6c 2f c3 0a 64 fd 80 d4 b1 13 03 ae 1d d8 6e d3 f6 eb 47 ca f6 96 0c 79 6c 10 20 e6 91 45 f2 f0 98 94 16 dd db 96 bd bf 54 75 97 46 bb be df 7f 9b cf 0f 87 03 3f 24 bc 69 b7 73 09 00 73 dc 11 b1 43 b9 e9 77 69 24 bc 84 88 ed f2 72 bb eb 11 81 43 54 94 55 95 46 75 53 e7 d1 72 b1 65 cd 7e 9d 95 fd 47 1a 71 19 b1 ac 2a f7 f1 7e 4d ae af 6d 75 7d f5 30 c3 3d 84 d9 26 8d 7e 0a 65 0c 57 4c 58 af b9 cc bc 06 9e 58 06 88 25 70 17 1b 69 b9 96 13 12 0a 04 37 2b a9 84 e1 d6 c6 02 c0 b1 c1 3f d8 b1 d4 0a cd c4 01 57 4e 0e 88 25 3e e1 a6 b3 16 d7 24 ed a6 08 63 bc 11 7d 4e f4 03 bb 9b 59 34 3f a2 97 78 c5 31 bf 13 9a 9b cc 2a c3 b5 23 76 89 16 c8 47 61 6c 39 01 21 02 39 81 41 b9 75 c8 c2 62 a2 e0 3e d8 b1 d7 b4 22 00 23 41 32 22 2b 90 af 96 3c 71 63 0e 76 9c f0 94 d9 ed 29 33 a1 95 a3 78 ce 91 70 26 11 dc 4b a2 26 14 a5 54 c2 72 a5 27 e4 13 c9 d5 4a 0a 54 06 d5 c4 da 51 f0 c1 3d d8 0a 48 29 95 58 ee f4 08 3c 92 72 9d 16 92 4b 6b 58 f0 1f 83 0d e0 94 da dd 29 35 69 34 a9 2b 83 68 c6 03 97 ca 10 35 a9 3c a9 a6 35 d7 5e 4f 10 65 43 25 56 5e 1b 0e ca c4 4e 78 a2 45 11 06 3b f6 0e 35 32 8a 03 68 b2 99 f0 18 43 22 49 aa 2f e4 60 c7 09 4f 99 dd 07 66 f3 ed 72 b1 c9 8b 6e b9 68 d7 9b 72 5d 7d a7 47 5e f7 ac 44 ba 37 d8 a2 ef 69 84 5d 9c 7d 84 47 8b 5d 1d b1 ed b8 e7 a9 2e 7b 1c 8c d7 2e 6f 57 d8 d6 f9 af fa a9 cb ff bd fe dd ae eb ae 68 da 97 34 ea c9 ac d6 7d 7e 3d 36 75 e8 bd 19 6b 9b 9e 16 3d cc 58 97 ad 2b 7a 7d d4 85 34 0d 5d df ec 19 fd c5 59 53 35 98 ff 4a 80 cd 04 10 f7 f0 ae 29 8a 2e ef 03 af 93 6d 99 a2 df b8 f8 77 ea 82 df fc b4 d4 b3 a5 df 7e 7d e9 43 ff 62 5f 9f ab 5b 0c 75 87 81 39 5f 37 80 75 1b 75 e9 ba ef 2e f0 c9 87 79 0a 73 73 a6 f4 e3 09 3a 5f 79 51 3c 7b 80 ff 4b e2 56 5f 5a 8c fb af 17 63 9c 47 7f 4e 89 61 de c7 e9 3f 2f c5 c6 25 cf 20 2e 2d 05 dd 4b 8f 74 64 91 08 0f d3 9d 34 9c 1d f8 35 8a 28 9c 65 c0 60 47 37 de 1b 5d 74 3f e0 33 84 9a 5c d1 1c 8e 15 ba 20 97 7f 00 e6 92 47 c2 48 07 00 00 Data Ascii: Un0}iPC7l/dnGyl ETuF?$issCwi$rCTUFuSre~Gq*~Mmu}0=&~eWLXX%pi7+?WN%>$c}NY4?x1*#vGal9!9Aub>"#A2"+<qcv)3xp&K&Tr'JTQ=H)X<rKkX)5i4+h5<5^OeC%V^NxE;52hC"I/`Ofrnhr]}G^D7i]}G].{.oWh4}~=6uk=X+z}4]YS5J).mw~}Cb_[u9_7uu.yss:_yQ<{KV_ZcGNa?/% .-Ktd45(e`G7]t?3\ GH
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 16 Oct 2020 15:26:30 GMTserver: Apachelast-modified: Thu, 27 Jun 2019 18:24:46 GMTaccept-ranges: nonevary: Accept-Encodingcontent-encoding: gzipcontent-length: 540content-type: image/x-iconData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5b 31 4f c2 40 18 7d 05 52 27 92 8e 4c d8 e0 c2 d8 c4 c4 49 13 4c 1c 18 0c e9 e2 ee 44 1c dd 0d b1 a3 a3 ab bb 71 70 72 32 d1 30 f0 0b fc 0d 8e 4e 98 88 91 38 d5 bb 5e 81 22 07 b4 08 52 e0 bd 70 b9 ef dd 7d 8f 94 de e5 fb ee 83 02 18 30 e1 79 16 24 ce ca 40 5d f4 d5 aa e2 6f 79 e0 45 8c 39 4e 38 6f 02 8f 7b 80 6d 87 f3 19 a0 78 00 14 0a 21 37 00 b3 02 58 96 e2 65 c1 db 87 a2 17 b6 27 07 0c f9 ca 41 4d 42 0b df f7 f1 7e 2b 8c 27 1f 78 be 44 c9 fd d0 3b 6a 50 9a 08 1b c8 ee 4e 04 f5 d4 53 4f 3d f5 d4 53 4f 3d f5 d4 53 4f 3d f5 d4 6f 82 3e 76 a1 4d 2c 04 27 13 e1 02 b9 a3 89 a0 9e 7a ea a9 a7 9e 7a ea a9 a7 9e 7a ea a9 a7 9e fa 4d d0 87 65 f4 d6 eb 70 59 4d 4e 4e be 82 dc 5f 30 96 fd f9 c8 c9 c9 e7 c7 e5 23 85 55 d1 ae 31 78 ce d0 cb 43 8b b9 3e 67 08 4c ff 2d 86 3e f4 a1 0f 7d 52 e4 13 3b e0 fd 13 46 4a 3e 60 7a 8d 48 1f fa d0 87 3e 29 f2 91 b1 6c 3f 12 d7 68 a7 c3 8e 16 fe 71 ec 34 5c 33 ed 51 5b d6 79 8e 68 a7 88 fc 9f cc 84 16 73 aa f3 ec ac fe 6c c5 71 8e 27 3e 47 47 b2 87 9b d3 e7 16 8e 73 5c 9c 23 0c 4f ed 98 d5 ea 7b 09 74 90 48 d3 71 5d 49 7b 99 67 6c d1 2a 88 7c 9f 98 81 16 43 79 a6 79 81 ed e3 ef 20 d7 74 ef 10 e4 9d 8e e8 8b b5 2f ec d4 3e d1 91 7e cd 86 18 6f 04 da 30 a6 b4 b2 c3 71 66 6d f8 8d c2 79 8f eb ef e0 00 f7 0a 6e ae ad 50 57 78 c8 5f 29 ac 1b 0f b6 db 8c ad 7f 5c fd c3 7b c8 7d 5e 80 3a 53 f5 f7 b9 11 63 9f 27 3c 4f 45 a1 b2 68 b0 1d 9c 65 d9 d1 eb 51 d1 37 08 bb 95 65 d9 41 b0 b4 8c d8 2d a9 bf 5c 67 0b 2a a6 f5 d6 b9 35 66 7d 7e af 73 b1 d6 9d 65 8d ed f0 9e 27 ea 23 6b e2 86 f7 28 51 2f 6f 8b 61 8c 6f d3 e6 7f 00 de d9 0c 6a 16 43 00 00 Data Ascii: [1O@}R'LILDqpr20N8^"Rp}0y$@]oyE9N8o{mx!7Xe'AMB~+'xD;jPNSO=SO=SO=o>vM,'zzzMepYMNN_0#U1xC>gL->}R;FJ>`zH>)l?hq4\3Q[yhslq'>GGs\#O{tHq]I{gl*|Cyy t/>~o0qfmynPWx_)\{}^:Sc'<OEheQ7eA-\g*5f}~se'#k(Q/oaojC
      Source: global trafficHTTP traffic detected: GET /donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA== HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /donc/dcn/J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW.php?_0TCmQy24bPvWNUnAGFd8q-OxErilDZsghR59LI3k6VatMYSKprjTAZduNvbSMtYceXlVKmz0pxGoPwHIgqODhas267CkLnFBfR8b1wUIPk2Snqfuo_ARgcL7OpV6vBDtEGWi45Zr80QXFhHl3MmCdbDl19_-5x2VcSiLAjoIJHvMCREug6Td3apsPFQr7kBYheOw4fN&data=bWNnaW5udEByZXNhLm5ldA== HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/css/login.css HTTP/1.1Accept: text/css, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/arrow_left.svg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/eps.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/fstmsg.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/forgetpass.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/logn.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/ellipsis_white.svg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/ellipsis_grey.svg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/bg.svg?asjdkasdads HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/passwrd.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: global trafficHTTP traffic detected: GET /donc/dcn/images/favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: resa.credit-financebank.comConnection: Keep-AliveCookie: PHPSESSID=6ebab55e477d1d47f5dec074fb36546d
      Source: unknownDNS traffic detected: queries for: resa.credit-financebank.com
      Source: boot.worldwide.0.mouse[1].js.2.drString found in binary or memory: http://github.com/jquery/globalize
      Source: {F2587537-0FC3-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://resa.credit-fin
      Source: ~DF64177069175675B8.TMP.1.drString found in binary or memory: http://resa.credit-financebank.com/donc/dcn/J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW.php?_
      Source: {F2587537-0FC3-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://resa.credit-financebank.com/donc/dcn/J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5Djzancebank.com/donc/d
      Source: imagestore.dat.2.drString found in binary or memory: http://resa.credit-financebank.com/donc/dcn/images/favicon.ico
      Source: imagestore.dat.2.drString found in binary or memory: http://resa.credit-financebank.com/donc/dcn/images/favicon.ico~
      Source: imagestore.dat.2.drString found in binary or memory: http://resa.credit-financebank.com/donc/dcn/images/favicon.ico~(
      Source: prefetch[1].htm.2.drString found in binary or memory: https://blobs.officehome.msocdn.com/bundles/app-bundle-6a480562ae8d300808a4.js
      Source: prefetch[1].htm.2.drString found in binary or memory: https://blobs.officehome.msocdn.com/bundles/app-bundle-e605af9822fccd81ce18.css
      Source: prefetch[1].htm.2.drString found in binary or memory: https://blobs.officehome.msocdn.com/bundles/polyfills-bundle-7e9c6616331eab222d42.js
      Source: prefetch[1].htm.2.drString found in binary or memory: https://blobs.officehome.msocdn.com/bundles/sharedscripts-b0a68e18d1.js
      Source: prefetch[1].htm.2.drString found in binary or memory: https://blobs.officehome.msocdn.com/bundles/staticscripts-6b9fd104bb.js
      Source: prefetch[1].htm.2.drString found in binary or memory: https://blobs.officehome.msocdn.com/images/content/images/fluent-background-sources/header-default-d
      Source: prefetch[1].htm.2.drString found in binary or memory: https://outlook.office365.com/owa/prefetch.aspx
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/images/0/sprite1.mouse.css
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/images/0/sprite1.mouse.png
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/styles/0/boot.worldwide.mouse.css
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/styles/fonts/office365icons.eot?#i
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/styles/fonts/office365icons.svg
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/styles/fonts/office365icons.ttf
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/resources/styles/fonts/office365icons.woff
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/scripts/boot.worldwide.0.mouse.js
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/scripts/boot.worldwide.1.mouse.js
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/scripts/boot.worldwide.2.mouse.js
      Source: prefetch[2].htm.2.drString found in binary or memory: https://r4.res.office365.com/owa/prem/16.3790.0.2749802/scripts/boot.worldwide.3.mouse.js
      Source: J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htm.2.drString found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/images/microsoft_logo.png?x=ed9
      Source: J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htm.2.drString found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/images/microsoft_logo.svg?x=ee5
      Source: J67_9NpbfPeB43EHZIyi1hmlT0csvqLRM5DjzKdaGuxOUXSoQW[1].htm.2.drString found in binary or memory: https://www.office.com/prefetch/prefetch
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
      Source: classification engineClassification label: mal80.phis.win@3/29@5/2
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F2587535-0FC3-11EB-90EB-ECF4BBEA1588}.datJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF34AD48C7C16D0AE5.TMPJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6608 CREDAT:17410 /prefetch:2
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6608 CREDAT:17410 /prefetch:2Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer2SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet