Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=

Overview

General Information

Sample URL:http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=
Analysis ID:321258

Most interesting Screenshot:

Detection

HTMLPhisher
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
HTML body contains low number of good links
HTML title does not match URL
Invalid T&C link found

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 5900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5268 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\myp0dplr1edpvg99v613ua80[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
    Source: http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=UrlScan: detection malicious, Label: phishing brand: onedrivePerma Link
    Antivirus detection for URL or domainShow sources
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Matcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish_10Show sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\myp0dplr1edpvg99v613ua80[1].htm, type: DROPPED
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: Number of links: 0
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: Number of links: 0
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: Title: Sign in to your account does not match URL
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: Title: Sign in to your account does not match URL
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: Invalid link: Terms of use
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: Invalid link: Terms of use
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: No <meta name="author".. found
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: No <meta name="author".. found
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: No <meta name="copyright".. found
    Source: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=HTTP Parser: No <meta name="copyright".. found
    Source: global trafficHTTP traffic detected: GET /asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20= HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rwiqipwvnklaqkuu.ltiliqhting.comConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: rwiqipwvnklaqkuu.ltiliqhting.com
    Source: ~DF8164221878F877A2.TMP.1.drString found in binary or memory: http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=
    Source: {3E7062E8-2B9D-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Root
    Source: myp0dplr1edpvg99v613ua80[1].htm.2.drString found in binary or memory: https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbran
    Source: SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=[1].htm.2.drString found in binary or memory: https://daabaaru.com/fax/document/?Jacqueline.Schrader
    Source: imagestore.dat.2.drString found in binary or memory: https://daabaaru.com/fax/document/lib/img/favicon.ico
    Source: imagestore.dat.2.drString found in binary or memory: https://daabaaru.com/fax/document/lib/img/favicon.ico~
    Source: imagestore.dat.2.drString found in binary or memory: https://daabaaru.com/fax/document/lib/img/favicon.ico~(
    Source: ~DF8164221878F877A2.TMP.1.drString found in binary or memory: https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1Z
    Source: {3E7062E8-2B9D-11EB-90E4-ECF4BB862DED}.dat.1.drString found in binary or memory: https://daabaaru.com/fu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=ax/document
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: classification engineClassification label: mal72.phis.win@3/15@4/3
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCA8D72B327600857.TMPJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=0%Avira URL Cloudsafe
    http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=100%SlashNextFake Login Page type: Phishing & Social Engineering
    http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=100%UrlScanphishing brand: onedriveBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=100%SlashNextFake Login Page type: Phishing & Social Engineering
    https://daabaaru.com/fax/document/?Jacqueline.Schrader0%Avira URL Cloudsafe
    https://daabaaru.com/fu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=ax/document0%Avira URL Cloudsafe
    https://daabaaru.com/fax/document/lib/img/favicon.ico~0%Avira URL Cloudsafe
    https://daabaaru.com/fax/document/lib/img/favicon.ico0%Avira URL Cloudsafe
    https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1Z0%Avira URL Cloudsafe
    http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Root0%Avira URL Cloudsafe
    https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbran0%Avira URL Cloudsafe
    https://daabaaru.com/fax/document/lib/img/favicon.ico~(0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    daabaaru.com
    		198.54.120.245
    		truefalse
      		unknown
      cs1025.wpc.upsiloncdn.net
      		152.199.23.72
      		truefalse
        		unknown
        rwiqipwvnklaqkuu.ltiliqhting.com
        		168.62.48.44
        		truefalse
          		unknown
          aadcdn.msauthimages.net
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTEwMDA5MmRjMDdjYWM1YmYzN2UwMTdkM2M5ZGEwOTllYw==&data=SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=true
            • SlashNext: Fake Login Page type: Phishing & Social Engineering
            		unknown
            http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=true
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://daabaaru.com/fax/document/?Jacqueline.SchraderSmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=[1].htm.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://daabaaru.com/fu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=ax/document{3E7062E8-2B9D-11EB-90E4-ECF4BB862DED}.dat.1.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://daabaaru.com/fax/document/lib/img/favicon.ico~imagestore.dat.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://daabaaru.com/fax/document/lib/img/favicon.icoimagestore.dat.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://daabaaru.com/fax/document/myp0dplr1edpvg99v613ua80.php?MTYwNTg5MTYwMDZkMDZjNTRlMTMzYjlkYjc1Z~DF8164221878F877A2.TMP.1.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Root{3E7062E8-2B9D-11EB-90E4-ECF4BB862DED}.dat.1.drtrue
              • Avira URL Cloud: safe
              		unknown
              https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbranmyp0dplr1edpvg99v613ua80[1].htm.2.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://daabaaru.com/fax/document/lib/img/favicon.ico~(imagestore.dat.2.drfalse
              • Avira URL Cloud: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              198.54.120.245
              		unknownUnited States
              		22612NAMECHEAP-NETUSfalse
              168.62.48.44
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              152.199.23.72
              		unknownUnited States
              		15133EDGECASTUSfalse

              General Information

              Joe Sandbox Version:31.0.0 Red Diamond
              Analysis ID:321258
              Start date:20.11.2020
              Start time:17:59:07
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 2m 33s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:browseurl.jbs
              Sample URL:http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal72.phis.win@3/15@4/3
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 104.108.39.131, 13.88.21.125, 51.104.144.132
              • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, e11290.dspg.akamaiedge.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, go.microsoft.com, arc.msn.com.nsatc.net, go.microsoft.com.edgekey.net, aadcdn.azureedge.net, aadcdn.ec.azureedge.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net, arc.msn.com
              • VT rate limit hit for: http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3E7062E6-2B9D-11EB-90E4-ECF4BB862DED}.dat
              Process:C:\Program Files\internet explorer\iexplore.exe
              File Type:Microsoft Word Document
              Category:dropped
              Size (bytes):30296
              Entropy (8bit):1.853347491182756
              Encrypted:false
              SSDEEP:48:IwEGcpr5GwpLpG/ap8crGIpcA+FGvnZpvA+aaGoUqp9A+GGo4hpmA+V+GWK69A+4:rYZzZN2c9WnitnpfnhhMnunHn+fnwcX
              MD5:8C385A7F0C20F227C678AB6847FA19BA
              SHA1:E89EB09F0A7D25E7D5A623A18C94EF52B55D5474
              SHA-256:ECF0AB41E50A631C494B9701391CA92C9103D97E0B703C54A48A836B3193B8E3
              SHA-512:97633F9891AF69FCA1065EC227ED504DEFCD2F8301F1916AAF039C2155F8682E5B0EC99469704A8DEF5DC5A33A870AFCA4798D20AAA880FE119F1CCAB9B0BB5A
              Malicious:false
              Reputation:low
              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3E7062E8-2B9D-11EB-90E4-ECF4BB862DED}.dat
              Process:C:\Program Files\internet explorer\iexplore.exe
              File Type:Microsoft Word Document
              Category:dropped
              Size (bytes):32586
              Entropy (8bit):2.141982914905027
              Encrypted:false
              SSDEEP:192:rxZyQ/6lkjFjq2RkWTMqY7PntBlWV+4WP0WSWsWGVPWgrdg:r3fyujhJtQqOPtBgY/P79DGVOgi
              MD5:46A4404CCF5BB77DE7A9651E3E82F941
              SHA1:5B30271E69E3E96514121FEFC0272C8E851A09E3
              SHA-256:10DED2E730196A164E2F7EDEF3B558B4179C46055E3DCD191750C1DE91B7FB32
              SHA-512:06B1ED848F8793D87D9AEC4FC504E53A1B55E97C63E3EE171240D8B764253B7EB4429C35B1E4C6A800AE9618040FB56E82C394ADEF0D56EFD7BEAD236A465981
              Malicious:false
              Reputation:low
              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{482E3D4B-2B9D-11EB-90E4-ECF4BB862DED}.dat
              Process:C:\Program Files\internet explorer\iexplore.exe
              File Type:Microsoft Word Document
              Category:dropped
              Size (bytes):16984
              Entropy (8bit):1.5652358969639593
              Encrypted:false
              SSDEEP:48:IwTGcprqGwpaXG4pQvGrapbShrGQpKrG7HpRmsTGIpG:rpZyQZ6zBShFAqTm4A
              MD5:7B4B94BC2E2AAF99521F1FB308215B1D
              SHA1:3C734697EC7ADC79450880EA9D1489E84BE02F43
              SHA-256:45558A2194290D900C26B5DEDFB449F1FF4BCB0C883A08F53BE876ADE2685DA7
              SHA-512:C606839C1CEBBD654158D9CE1B4F9ECF84ECB9E3A7A436A917170A7C57154BD5ABABA223A532964EA3A0EEE3E309DE01423B0F9D55534F7BEC02D3EF72764228
              Malicious:false
              Reputation:low
              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:data
              Category:modified
              Size (bytes):18068
              Entropy (8bit):3.068703669669726
              Encrypted:false
              SSDEEP:48:+xpJE/nxpJE/6xpJE/CxpJE/tgyyyyyyyyyyyyyrxpJE/DuxpJE/GQQQQQV:CQQQQQV
              MD5:8001591BD989750FB6F2330E80BA0D86
              SHA1:23FE47255924724370847F3E7774AF4A23001EF4
              SHA-256:4178AF3623ADC4F6AC78430A697834548A86D1228927066C25A4218943BF1024
              SHA-512:7C249784A152EDCD4C6677F32216A194CE431BF095D1B4CA3A2E33EA67F132F75E9065D0F34B6FCBE52F5B90A0D0FBD1F44AF0ADA1CDE2B53D2E8DCBDDAC4231
              Malicious:false
              Reputation:low
              Preview: 5.h.t.t.p.s.:././.d.a.a.b.a.a.r.u...c.o.m./.f.a.x./.d.o.c.u.m.e.n.t./.l.i.b./.i.m.g./.f.a.v.i.c.o.n...i.c.o.~(................h(......(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\arrow[1].svg
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:SVG Scalable Vector Graphics image
              Category:downloaded
              Size (bytes):513
              Entropy (8bit):4.720499940334011
              Encrypted:false
              SSDEEP:12:t4BdU/uRqv6DLfBHKFWJCDLfBSU1pRXIFl+MJ4bADc:t4TU/uRff0EcfIU1XXU+t2c
              MD5:A9CC2824EF3517B6C4160DCF8FF7D410
              SHA1:8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064
              SHA-256:34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
              SHA-512:AA3DDAB0A1CFF9533F9A668ABA4FB5E3D75ED9F8AFF8A1CAA4C29F9126D85FF4529E82712C0119D2E81035D1CE1CC491FF9473384D211317D4D00E0E234AD97F
              Malicious:false
              Reputation:low
              IE Cache URL:https://daabaaru.com/fax/document/lib/img/arrow.svg
              Preview: <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><title>assets</title><path d="M18,11.578v.844H7.617l3.921,3.928-.594.594L6,12l4.944-4.944.594.594L7.617,11.578Z" fill="#404040"/><path d="M10.944,7.056l.594.594L7.617,11.578H18v.844H7.617l3.921,3.928-.594.594L6,12l4.944-4.944m0-.141-.071.07L5.929,11.929,5.858,12l.071.071,4.944,4.944.071.07.071-.07.594-.595.071-.07-.071-.071L7.858,12.522H18.1V11.478H7.858l3.751-3.757.071-.071-.071-.07-.594-.595-.071-.07Z" fill="#404040"/></svg>
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[1].css
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:ASCII text, with very long lines
              Category:downloaded
              Size (bytes):101788
              Entropy (8bit):5.304944776832708
              Encrypted:false
              SSDEEP:1536:QpHDglbuhw+ExmazA/PWrF7qvEAFiQcpmNtuhPyJRD:l74wyJZ
              MD5:4DB4A299AE7E73B3CB53351867416D0C
              SHA1:36C0DFF7A6742EAD3229E476F05C559069C3080F
              SHA-256:10C50B88EBF99FDF813A4CCE86BA218A6E2EA3D266146520529F1E1BDDC5EBD3
              SHA-512:8EB086FC241C314DDD4B15AC6F34DBD61B838E2D7C2B535A02AF2A83A92294AB1C79EB122EFCA8FF648346F4515B35EDEEB13DC5E79EBC2C7E9ACCC4AC5BAA76
              Malicious:false
              Reputation:low
              IE Cache URL:https://daabaaru.com/fax/document/lib/css/login.css
              Preview: /*! Copyright (C) Microsoft Corporation. All rights reserved. *//*!.------------------------------------------- START OF THIRD PARTY NOTICE -----------------------------------------..This file is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Microsoft product. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise...//-----------------------------------------------------------------------------.twbs-bootstrap-sass (3.3.0).//-----------------------------------------------------------------------------..The MIT License (MIT)..Copyright (c) 2013 Twitter, Inc..Permission is hereby granted, free of charge, to any person
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\white_ellipsis[1].svg
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:SVG Scalable Vector Graphics image
              Category:downloaded
              Size (bytes):915
              Entropy (8bit):3.877322891561989
              Encrypted:false
              SSDEEP:24:t4CvnAVRf83f1QqCSzGUdiHTVtpRduf1QqCWbVHTVeUV0Uv6f1QqCWbVHTVeUV0W:fnL1QqC4GuiHFXS1QqCWRHQ3V1QqCWRV
              MD5:5AC590EE72BFE06A7CECFD75B588AD73
              SHA1:DDA2CB89A241BC424746D8CF2A22A35535094611
              SHA-256:6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
              SHA-512:B9135D934B9EA50B51BB0316E383B114C8F24DFE75FEF11DCBD1C96170EA59202F6BAFE11AAF534CC2F4ED334A8EA4DBE96AF2504130896D6203BFD2DA69138F
              Malicious:false
              Reputation:low
              IE Cache URL:https://daabaaru.com/fax/document/lib/img/white_ellipsis.svg
              Preview: <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><title>assets</title><path fill="#ffffff" d="M1.143,6.857a1.107,1.107,0,0,1,.446.089,1.164,1.164,0,0,1,.607.607,1.161,1.161,0,0,1,0,.893,1.164,1.164,0,0,1-.607.607,1.107,1.107,0,0,1-.446.089A1.107,1.107,0,0,1,.7,9.054a1.164,1.164,0,0,1-.607-.607,1.161,1.161,0,0,1,0-.893A1.164,1.164,0,0,1,.7,6.946a1.107,1.107,0,0,1,.446-.089M8,6.857a1.107,1.107,0,0,1,.446.089,1.164,1.164,0,0,1,.607.607,1.161,1.161,0,0,1,0,.893,1.164,1.164,0,0,1-.607.607,1.161,1.161,0,0,1-.893,0,1.164,1.164,0,0,1-.607-.607,1.161,1.161,0,0,1,0-.893,1.164,1.164,0,0,1,.607-.607A1.107,1.107,0,0,1,8,6.857m6.857,0a1.107,1.107,0,0,1,.446.089,1.164,1.164,0,0,1,.607.607,1.161,1.161,0,0,1,0,.893,1.164,1.164,0,0,1-.607.607,1.161,1.161,0,0,1-.893,0,1.164,1.164,0,0,1-.607-.607,1.161,1.161,0,0,1,0-.893,1.164,1.164,0,0,1,.607-.607A1.107,1.107,0,0,1,14.857,6.857Z"/></svg>
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bannerlogo[1]
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:PNG image data, 280 x 60, 8-bit/color RGBA, non-interlaced
              Category:downloaded
              Size (bytes):9540
              Entropy (8bit):7.967996467719025
              Encrypted:false
              SSDEEP:192:fKCmrqpKUhHwbzguYy9g8LP16dxSzAzfie722U/76jEDzpEAi:forqphEBJ6dzzf32HsSzpzi
              MD5:633028E3E6562E7D4040E63BA949CEED
              SHA1:40FD1C8BEA780E2892F535C6971C0095C0334DE7
              SHA-256:A1BA8B90870A2394ED72F66855A85D8583749CCD37C7D89C12147172B0F0DF82
              SHA-512:B7F92F26A8F18B162D55FC1D01FF64D13A88EDA0DF6BBA475266788D89ACDF738C832B3283B4606ED5DE1F9FFE1BA76EB394890E1B53D9DFB861D8258170A764
              Malicious:false
              Reputation:low
              IE Cache URL:https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbranding/0/bannerlogo?ts=636996543392126455
              Preview: .PNG........IHDR.......<............sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.paint.net 4.1.6.N....$.IDATx^.}.|....l...."....I%..z..RBBHh.w.PB $...J@.....".!..by...T,O.C.nv..?gvv33Y...?........=.....;.{g"<...]{74l..i....i?7....A.....P........E...P....t$....4.y.|/t^..k...r.l......A..?.{GFL|..j.\t.u8.7..A........m...3.<[r5...Y..4h...H..ngXb..kD...@H...A....{F|.K...*....H..-4..-<.....{Hf.4h.....}..{.&....k.Lb..4..Z..AK.....&.k.A......M..V....."...(dz....*.4h..p8.?... .B....1..TE......8q....Qw.D.:!..6Q....##&H.4h..a93....n.E ri..c.....NH...O....W.......C.%.. .v<<=.a..Ll...Nn.B.Dt..6..N...j.A.a...0d.M...[.LF.L*..R.3..k#...H...;Z...G...4/F.....&..i..{.].......f...ra).....Gtc.K.'...4b@.yy.8......4hp..s...m.$...E..g.._.lY...r...<[._.F.b....^j..~.2q..|......4hp..)..^EW#j.....j....u..^....B2<tIx{.S.]......%.p...b#.4h........[|.[p.y......m[.b..\.!......p!.mn..Q9...1....c..4hP.....MK.2...ZI....fu....\.D.\.../._..!.
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\myp0dplr1edpvg99v613ua80[1].htm
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
              Category:dropped
              Size (bytes):5544
              Entropy (8bit):3.873797309940102
              Encrypted:false
              SSDEEP:48:1rT5EFT5ELvU2ouWmvAavqWRtUkfkGvIDdiU3UoVv:j06Doul7+kVwX/Vv
              MD5:94027E2DA1E911EBD0FBED95DFE6BB50
              SHA1:CE134805A68BFE4311BD64C6EAC7DBA87A7DFD10
              SHA-256:8C890EB69923B5CA8D7EC3D34760C8CEBD1A13342E1C277EEF1CC1CF6ED91838
              SHA-512:743934B70B4C390EA7CAA2B80AD565314420A0B6942D1EAA9CF492F58B8921223945091B9FBBC2E1732019C73E2D7A1E2DD34A39A5FC766184769D8A7633EC52
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_HtmlPhish_10, Description: Yara detected HtmlPhish_10, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\myp0dplr1edpvg99v613ua80[1].htm, Author: Joe Security
              Reputation:low
              Preview: <html dir=ltr lang=en>..<title>S.ig.n i...n to y.ou.r ac...cou.nt</title>..<link href=lib/img/favicon.ico rel="shortcut icon">..<link href=lib/css/login.css rel=stylesheet>..<div>.. <div>..<div class=background style=background:https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbranding/0/illustration?ts=636395932316151863> .. <div class=backgroundImage style="background-image:url(https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbranding/0/illustration?ts=636395932316151863)"></div><div class=backgroundImage style="background-image:url(https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbranding/0/illustration?ts=636395932316151863)"></div> <div class=background-overlay></div> .. </div>.. </div>.. <div ></div>.. <form method=post action=process>..
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\favicon[1].ico
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors
              Category:downloaded
              Size (bytes):17174
              Entropy (8bit):2.9129715116732746
              Encrypted:false
              SSDEEP:24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
              MD5:12E3DAC858061D088023B2BD48E2FA96
              SHA1:E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
              SHA-256:90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
              SHA-512:C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
              Malicious:false
              Reputation:low
              IE Cache URL:https://daabaaru.com/fax/document/lib/img/favicon.ico
              Preview: ..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\illustration[1]
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:PNG image data, 497 x 280, 8-bit/color RGBA, non-interlaced
              Category:downloaded
              Size (bytes):292413
              Entropy (8bit):7.993308460353361
              Encrypted:true
              SSDEEP:6144:D4mn/fYJnncC5kneJacZfS/EJFlHTKE3lWo20C5fTOYJh:D/YnfLJ1RAE520C55
              MD5:B4B22E30B93E08570B85286EEFB3A91B
              SHA1:66B30F7DAC4D69E0D7E3901663641FF21AFC4EB1
              SHA-256:A3E70BD6453F2E569E04DB73458569598C528E2112FDEEE434BABF6F8E3E0A83
              SHA-512:11B34EA66993EDD583B4ECF72652940DBF2DC136E09BA5E1746285188A0E4B0993180B38A1F992103C62658EFA2B4BE5D32866E6F6C4878A757D81E256022507
              Malicious:false
              Reputation:low
              IE Cache URL:https://aadcdn.msauthimages.net/c1c6b6c8-io4-zs4fy-s8uub0c-ziiztiuzc8njr-nhcgotapjss/logintenantbranding/0/illustration?ts=636395932316151863
              Preview: .PNG........IHDR.............Ly.7....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.paint.net 4.0.5e.2e....IDATx^...W.........Hx..By.Ev.i$...H............DLL..1!.F.pDI.f7.....{ ......~.g.<@..U4..7qp.}.~.Y..^{.?......4..#.v.ce}+.....2*.K...........}..{.;..|.c.`?.K*cg.0.vv. "JJ...J........m%%%..W..[<...|..:........qpp.y].u...w..q.O......Q..}..........G..0..=..N.r.$V.....p<.......\....(...(9....h.......9<......8........z5....c...}.]..\..Z.h3.*c......X...(._..bum=...'..Y.=.yX...gws]...(.AEI..T..........q.n456......+..<..+k.......[....{.[QF.;......f......HTVV.w...h...]...._.G]...0.+Kbkc+.ffbd.n<}.|.t4.....,......Y..?..O).+....;....;...AIl.m..[1:1.7.<..|.G..P..U....-k...;.7brl$^y.......C....>#}.....1==G......;..r...e.e.........hjh.s.NGK{[,,-..|...TTV...vl..FyEe./....Dl..Fkks447Eck[4................F.........e......j.....p....*k.E.han...,cbb<&f&b.g..Z...!...FsS{.A+...:.F?.RGe...J.u............8...-.u.y3..cfe!...7.8y
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=[1].htm
              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              File Type:HTML document, ASCII text
              Category:downloaded
              Size (bytes):133
              Entropy (8bit):4.800878350748012
              Encrypted:false
              SSDEEP:3:gnkAqRAdu6/GY7voOkADFoHDjLv2mXduRmQtlcdGhkceYLn:7AqJm7+mmHvLvOYwllhkceYL
              MD5:1B1EFEE01F42705B5F0E808D5B9B326E
              SHA1:97628AA6B1EF88186F3DA3BAE58E93D219405EC7
              SHA-256:1A006DDC9C8E703DC3A9353AF27AD602C96C472A11CD919DC5A1C6A4A59E1D7E
              SHA-512:BED96C6533CCCB03D32D40258B464C010BB415B33D48881EB7E0B320CC5992C7186459F1F2D0A49F6EFBB67FEAC936EEFCA246D0EEDDE0F1C7C62C1659394E00
              Malicious:false
              Reputation:low
              IE Cache URL:http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=
              Preview: <script type="text/javascript">window.location.href = "https://daabaaru.com/fax/document/?Jacqueline.Schrader@rabobank.com"</script>.
              C:\Users\user\AppData\Local\Temp\~DF8164221878F877A2.TMP
              Process:C:\Program Files\internet explorer\iexplore.exe
              File Type:data
              Category:dropped
              Size (bytes):42267
              Entropy (8bit):0.8136970667119444
              Encrypted:false
              SSDEEP:192:kBqoxKAuqR+4+UluNPWPXfWwWP0WSWsWGVPW:kBqoxKAuqR+4+UluNPWPXenP79DGVO
              MD5:27B8B9A161922324ADA1FD93B02AEF49
              SHA1:51CFAE3E07AAD72086D946FFC211B5425C61EDEC
              SHA-256:4571FC4B8BCF76AE6DC4851420CD72BCC8F41CEBD531A263D145BF6F6DF72389
              SHA-512:917F4A1625A6F6D626DC812288631FB63978AF65A59937F4A23C2326C38CE1C2F47B124E8DF325805BF5F358780DA76C642E998CE7042BEFAC856D6CA384E2DD
              Malicious:false
              Reputation:low
              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\~DFCA8D72B327600857.TMP
              Process:C:\Program Files\internet explorer\iexplore.exe
              File Type:data
              Category:dropped
              Size (bytes):13029
              Entropy (8bit):0.47942421065485163
              Encrypted:false
              SSDEEP:24:c9lLh9lLh9lIn9lIn9loaF9lo29lWHZEljxJb7:kBqoIhnHZEl9Jb7
              MD5:DFB75F47EDB174BA88EC56C42CA3E0EF
              SHA1:168107F2857FAF458BD58C8533045CD326E51610
              SHA-256:7D9D4C50F46DB701E1C8D3C8921F732B155882128D6206E013BAC379F3FCF47F
              SHA-512:80B750E9FDB88A3B4337AC1704A8ED5C02CA75641BD5658C110499513F1392C913C6F4726BFD7DDE2F15561458370DCA96F3E2CE3BE1E3C9BB0123109A8B7B22
              Malicious:false
              Reputation:low
              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\~DFF5D05630EB173D68.TMP
              Process:C:\Program Files\internet explorer\iexplore.exe
              File Type:data
              Category:dropped
              Size (bytes):25441
              Entropy (8bit):0.2889869811528073
              Encrypted:false
              SSDEEP:24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
              MD5:834735C9C0422EAA34CE0690CF19970E
              SHA1:446820612B1BBD99E2921CD7462DDDDB5109FE7D
              SHA-256:391092BB856DF25C9ED2BDE51ED68920E7E92B3F042C86BC6FF59C3C453CA571
              SHA-512:B2ECBFE12ABA3CDBC3C6320F8F2E4B5ACE82BCE5729C61FE6C7D86BCAD1B44DE2B76808D60F49856B798CB14BCD9C623251B23336798A4BB66F32C9475DBD047
              Malicious:false
              Reputation:low
              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              No static file info

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 20, 2020 17:59:55.711420059 CET4971180192.168.2.3168.62.48.44
              Nov 20, 2020 17:59:55.712136984 CET4971280192.168.2.3168.62.48.44
              Nov 20, 2020 17:59:55.812665939 CET8049711168.62.48.44192.168.2.3
              Nov 20, 2020 17:59:55.812863111 CET4971180192.168.2.3168.62.48.44
              Nov 20, 2020 17:59:55.812994957 CET8049712168.62.48.44192.168.2.3
              Nov 20, 2020 17:59:55.813087940 CET4971280192.168.2.3168.62.48.44
              Nov 20, 2020 17:59:55.814938068 CET4971180192.168.2.3168.62.48.44
              Nov 20, 2020 17:59:55.950814962 CET8049711168.62.48.44192.168.2.3
              Nov 20, 2020 17:59:56.133583069 CET8049711168.62.48.44192.168.2.3
              Nov 20, 2020 17:59:56.133799076 CET4971180192.168.2.3168.62.48.44
              Nov 20, 2020 17:59:56.389200926 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.389796972 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.560720921 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.560857058 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.560955048 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.561012983 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.565922976 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.566257954 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.738210917 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.738256931 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.738291025 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.738293886 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.738311052 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.738322020 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.738337994 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.738378048 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.740032911 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.740565062 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.752310991 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.752353907 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.752393007 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.752418995 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.752507925 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.753484964 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:56.753537893 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.753556013 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.860771894 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.867084026 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.867261887 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.871304989 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:56.871721983 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.301753044 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.301882982 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.474118948 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:57.474169016 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:57.474222898 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.474262953 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.474730015 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:57.474757910 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:57.474832058 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.474869013 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.574626923 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.575493097 CET49714443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:57.792448997 CET44349714198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:57.792896032 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:58.428229094 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 17:59:58.428524971 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:58.431499958 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 17:59:58.603157997 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 18:00:01.165499926 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 18:00:01.165695906 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:01.166729927 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:01.338139057 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 18:00:01.646173000 CET8049711168.62.48.44192.168.2.3
              Nov 20, 2020 18:00:01.646358967 CET4971180192.168.2.3168.62.48.44
              Nov 20, 2020 18:00:06.134412050 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 18:00:06.134438038 CET44349713198.54.120.245192.168.2.3
              Nov 20, 2020 18:00:06.134510994 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:06.134543896 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:06.150233030 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:06.156639099 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:06.162856102 CET49713443192.168.2.3198.54.120.245
              Nov 20, 2020 18:00:06.202255011 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.202673912 CET49724443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.218533993 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.218697071 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.218818903 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.218907118 CET49724443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.219861031 CET49724443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.220225096 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.236772060 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236800909 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236824989 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236848116 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236871004 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236886978 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236907959 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236933947 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236957073 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.236974955 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.237016916 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.237034082 CET49724443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.237046957 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.237052917 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.237078905 CET49724443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.237085104 CET49724443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.237720013 CET44349725152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.237746954 CET44349724152.199.23.72192.168.2.3
              Nov 20, 2020 18:00:06.237840891 CET49725443192.168.2.3152.199.23.72
              Nov 20, 2020 18:00:06.238430977 CET49724443192.168.2.3152.199.23.72

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 20, 2020 17:59:52.828905106 CET5754453192.168.2.38.8.8.8
              Nov 20, 2020 17:59:52.856132984 CET53575448.8.8.8192.168.2.3
              Nov 20, 2020 17:59:53.577507019 CET5598453192.168.2.38.8.8.8
              Nov 20, 2020 17:59:53.604475021 CET53559848.8.8.8192.168.2.3
              Nov 20, 2020 17:59:54.287421942 CET6418553192.168.2.38.8.8.8
              Nov 20, 2020 17:59:54.314631939 CET53641858.8.8.8192.168.2.3
              Nov 20, 2020 17:59:54.526159048 CET6511053192.168.2.38.8.8.8
              Nov 20, 2020 17:59:54.615294933 CET53651108.8.8.8192.168.2.3
              Nov 20, 2020 17:59:55.649369001 CET5836153192.168.2.38.8.8.8
              Nov 20, 2020 17:59:55.659660101 CET6349253192.168.2.38.8.8.8
              Nov 20, 2020 17:59:55.690960884 CET53583618.8.8.8192.168.2.3
              Nov 20, 2020 17:59:55.695153952 CET53634928.8.8.8192.168.2.3
              Nov 20, 2020 17:59:56.340729952 CET6083153192.168.2.38.8.8.8
              Nov 20, 2020 17:59:56.382381916 CET53608318.8.8.8192.168.2.3
              Nov 20, 2020 17:59:56.468293905 CET6010053192.168.2.38.8.8.8
              Nov 20, 2020 17:59:56.495450974 CET53601008.8.8.8192.168.2.3
              Nov 20, 2020 17:59:57.635884047 CET5319553192.168.2.38.8.8.8
              Nov 20, 2020 17:59:57.671668053 CET53531958.8.8.8192.168.2.3
              Nov 20, 2020 17:59:59.047538996 CET5014153192.168.2.38.8.8.8
              Nov 20, 2020 17:59:59.074980021 CET53501418.8.8.8192.168.2.3
              Nov 20, 2020 18:00:00.081125021 CET5302353192.168.2.38.8.8.8
              Nov 20, 2020 18:00:00.108449936 CET53530238.8.8.8192.168.2.3
              Nov 20, 2020 18:00:01.176451921 CET4956353192.168.2.38.8.8.8
              Nov 20, 2020 18:00:01.203773975 CET53495638.8.8.8192.168.2.3
              Nov 20, 2020 18:00:01.815476894 CET5135253192.168.2.38.8.8.8
              Nov 20, 2020 18:00:01.842518091 CET53513528.8.8.8192.168.2.3
              Nov 20, 2020 18:00:03.026276112 CET5934953192.168.2.38.8.8.8
              Nov 20, 2020 18:00:03.062134027 CET53593498.8.8.8192.168.2.3
              Nov 20, 2020 18:00:04.415446997 CET5708453192.168.2.38.8.8.8
              Nov 20, 2020 18:00:04.442562103 CET53570848.8.8.8192.168.2.3
              Nov 20, 2020 18:00:05.064898968 CET5882353192.168.2.38.8.8.8
              Nov 20, 2020 18:00:05.092598915 CET53588238.8.8.8192.168.2.3
              Nov 20, 2020 18:00:06.160326958 CET5756853192.168.2.38.8.8.8
              Nov 20, 2020 18:00:06.199795008 CET53575688.8.8.8192.168.2.3
              Nov 20, 2020 18:00:06.997919083 CET5054053192.168.2.38.8.8.8
              Nov 20, 2020 18:00:07.025255919 CET53505408.8.8.8192.168.2.3
              Nov 20, 2020 18:00:11.985373974 CET5436653192.168.2.38.8.8.8
              Nov 20, 2020 18:00:12.024426937 CET53543668.8.8.8192.168.2.3
              Nov 20, 2020 18:00:17.439239025 CET5303453192.168.2.38.8.8.8
              Nov 20, 2020 18:00:17.466114044 CET53530348.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Nov 20, 2020 17:59:55.649369001 CET192.168.2.38.8.8.80x61d7Standard query (0)rwiqipwvnklaqkuu.ltiliqhting.comA (IP address)IN (0x0001)
              Nov 20, 2020 17:59:56.340729952 CET192.168.2.38.8.8.80x8c16Standard query (0)daabaaru.comA (IP address)IN (0x0001)
              Nov 20, 2020 18:00:06.160326958 CET192.168.2.38.8.8.80x8163Standard query (0)aadcdn.msauthimages.netA (IP address)IN (0x0001)
              Nov 20, 2020 18:00:11.985373974 CET192.168.2.38.8.8.80x97ccStandard query (0)daabaaru.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Nov 20, 2020 17:59:55.690960884 CET8.8.8.8192.168.2.30x61d7No error (0)rwiqipwvnklaqkuu.ltiliqhting.com168.62.48.44A (IP address)IN (0x0001)
              Nov 20, 2020 17:59:56.382381916 CET8.8.8.8192.168.2.30x8c16No error (0)daabaaru.com198.54.120.245A (IP address)IN (0x0001)
              Nov 20, 2020 18:00:06.199795008 CET8.8.8.8192.168.2.30x8163No error (0)aadcdn.msauthimages.netaadcdn.azureedge.netCNAME (Canonical name)IN (0x0001)
              Nov 20, 2020 18:00:06.199795008 CET8.8.8.8192.168.2.30x8163No error (0)cs1025.wpc.upsiloncdn.net152.199.23.72A (IP address)IN (0x0001)
              Nov 20, 2020 18:00:12.024426937 CET8.8.8.8192.168.2.30x97ccNo error (0)daabaaru.com198.54.120.245A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • rwiqipwvnklaqkuu.ltiliqhting.com

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.349711168.62.48.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
              TimestampkBytes transferredDirectionData
              Nov 20, 2020 17:59:55.814938068 CET42OUTGET /asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20= HTTP/1.1
              Accept: text/html, application/xhtml+xml, image/jxr, */*
              Accept-Language: en-US
              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
              Accept-Encoding: gzip, deflate
              Host: rwiqipwvnklaqkuu.ltiliqhting.com
              Connection: Keep-Alive
              Nov 20, 2020 17:59:56.133583069 CET53INHTTP/1.1 200 OK
              Date: Fri, 20 Nov 2020 16:59:55 GMT
              Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
              X-Powered-By: PHP/7.2.34
              Content-Length: 133
              Keep-Alive: timeout=5, max=100
              Connection: Keep-Alive
              Content-Type: text/html; charset=UTF-8
              Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 73 3a 2f 2f 64 61 61 62 61 61 72 75 2e 63 6f 6d 2f 66 61 78 2f 64 6f 63 75 6d 65 6e 74 2f 3f 4a 61 63 71 75 65 6c 69 6e 65 2e 53 63 68 72 61 64 65 72 40 72 61 62 6f 62 61 6e 6b 2e 63 6f 6d 22 3c 2f 73 63 72 69 70 74 3e 0a
              Data Ascii: <script type="text/javascript">window.location.href = "https://daabaaru.com/fax/document/?Jacqueline.Schrader@rabobank.com"</script>


              HTTPS Packets

              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
              Nov 20, 2020 17:59:56.740032911 CET198.54.120.245443192.168.2.349714CN=daabaaru.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Mar 05 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sat Mar 06 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
              Nov 20, 2020 17:59:56.753484964 CET198.54.120.245443192.168.2.349713CN=daabaaru.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Mar 05 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sat Mar 06 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
              Nov 20, 2020 18:00:06.237720013 CET152.199.23.72443192.168.2.349725CN=aadcdn.msauthimages.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 03 22:55:38 CEST 2020 Wed Jul 29 14:30:00 CEST 2020 Thu Aug 01 14:00:00 CEST 2013Sun Aug 29 22:55:38 CEST 2021 Fri Jun 28 01:59:59 CEST 2024 Fri Jan 15 13:00:00 CET 2038771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
              CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USWed Jul 29 14:30:00 CEST 2020Fri Jun 28 01:59:59 CEST 2024
              CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Aug 01 14:00:00 CEST 2013Fri Jan 15 13:00:00 CET 2038
              Nov 20, 2020 18:00:06.237746954 CET152.199.23.72443192.168.2.349724CN=aadcdn.msauthimages.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 03 22:55:38 CEST 2020 Wed Jul 29 14:30:00 CEST 2020 Thu Aug 01 14:00:00 CEST 2013Sun Aug 29 22:55:38 CEST 2021 Fri Jun 28 01:59:59 CEST 2024 Fri Jan 15 13:00:00 CET 2038771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
              CN=Microsoft Azure TLS Issuing CA 06, O=Microsoft Corporation, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USWed Jul 29 14:30:00 CEST 2020Fri Jun 28 01:59:59 CEST 2024
              CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Aug 01 14:00:00 CEST 2013Fri Jan 15 13:00:00 CET 2038
              Nov 20, 2020 18:00:12.385561943 CET198.54.120.245443192.168.2.349727CN=daabaaru.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Mar 05 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sat Mar 06 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: iexplore.exe PID: 5900 Parent PID: 792

              General

              Start time:17:59:52
              Start date:20/11/2020
              Path:C:\Program Files\internet explorer\iexplore.exe
              Wow64 process (32bit):false
              Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Imagebase:0x7ff7ce500000
              File size:823560 bytes
              MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Analysis Process: iexplore.exe PID: 5268 Parent PID: 5900

              General

              Start time:17:59:53
              Start date:20/11/2020
              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5900 CREDAT:17410 /prefetch:2
              Imagebase:0x910000
              File size:822536 bytes
              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Disassembly

              Reset < >