Analysis Report #B30COPY.htm

Overview

General Information

Sample Name:	#B30COPY.htm
Analysis ID:	345110
MD5:	9fd038de27b73fe352def384cf076995
SHA1:	5100037eb30ce2b98e491196ccf508dfd18414d9
SHA256:	3876920798eb09d4e08654d5eb1c2c1d5760f39a61f32220472362b2ba26adce
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish_7

Contains strings related to BOT control commands

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Classification

Signatures

Phishing:

Yara detected HtmlPhish_7

Source: Yara match	File source: #B30COPY.htm, type: SAMPLE
Source: Yara match	File source: 657773.pages.csv, type: HTML

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: Title: Scanned Secured File does not match URL
Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: Title: Scanned Secured File does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/%23B30COPY.htm	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.54.115.249:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.54.115.249:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.0.175.244:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.0.175.244:443 -> 192.168.2.5:49737 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.54.115.249 198.54.115.249
Source: Joe Sandbox View	IP Address: 104.16.19.94 104.16.19.94
Source: Joe Sandbox View	IP Address: 104.16.19.94 104.16.19.94

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0ab37882,0x01d6f519</date><accdate>0x0ab37882,0x01d6f519</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0ab37882,0x01d6f519</date><accdate>0x0ab37882,0x01d6f519</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0ab83d43,0x01d6f519</date><accdate>0x0ab83d43,0x01d6f519</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0ab83d43,0x01d6f519</date><accdate>0x0ab83d43,0x01d6f519</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0ab83d43,0x01d6f519</date><accdate>0x0ab83d43,0x01d6f519</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0ab83d43,0x01d6f519</date><accdate>0x0ab83d43,0x01d6f519</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: code.jquery.com

Source: popper.min[1].js.2.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: #B30COPY.htm	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: #B30COPY.htm	String found in binary or memory: https://api.statvoo.com/favicon/?url=$
Source: #B30COPY.htm	String found in binary or memory: https://app.forexliteoptions.com/core/database/xero/css/hover.css
Source: #B30COPY.htm	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/md5.js
Source: #B30COPY.htm	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/core.min.js
Source: #B30COPY.htm	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: #B30COPY.htm	String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: #B30COPY.htm	String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: #B30COPY.htm	String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free.min[1].css.2.dr	String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.2.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: #B30COPY.htm	String found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.2.dr	String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.2.dr	String found in binary or memory: https://kit.fontawesome.com
Source: #B30COPY.htm	String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: #B30COPY.htm	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: #B30COPY.htm	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: #B30COPY.htm	String found in binary or memory: https://outlook.office.com/mail/inbox
Source: #B30COPY.htm	String found in binary or memory: https://solutionsaec-my.sharepoint.com/:x:/g/personal/jblanquart_solutions-aec_com/Eco5JmDEVEFLtBrJ2
Source: #B30COPY.htm	String found in binary or memory: https://stratexe.net/coc/realm/send.php
Source: #B30COPY.htm	String found in binary or memory: https://www.stratexe.net/co/Untitled1.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.54.115.249:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.54.115.249:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.0.175.244:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.0.175.244:443 -> 192.168.2.5:49737 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.winHTM@3/28@7/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{34802B54-610C-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF92CAE777F9950E09.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2076 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2076 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Remote Access Functionality:

Contains strings related to BOT control commands

Source: #B30COPY.htm

String found in binary or memory: window.location.href = href.replace(/]/g, '') + `#cmd=login_submit&id=${rand + rand}&session=${md5 + md5}`

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.115.249	unknown	United States	22612	NAMECHEAP-NETUS	false
104.16.19.94	unknown	United States	13335	CLOUDFLARENETUS	false
154.0.175.244	unknown	South Africa	37611	AfrihostZA	false

Contacted Domains

Name	IP	Active
cdnjs.cloudflare.com	104.16.19.94	true
app.forexliteoptions.com	198.54.115.249	true
www.stratexe.net	154.0.175.244	true
ka-f.fontawesome.com	unknown	unknown
code.jquery.com	unknown	unknown
kit.fontawesome.com	unknown	unknown
maxcdn.bootstrapcdn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/%23B30COPY.htm	true		low

ID:	345110
Product:	CloudBasic
Start time:	17:56:53
Start date:	27.01.2021
Sample:	#B30COPY.htm
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9fd038de27b73fe352def384cf076995
SHA1:	5100037eb30ce2b98e491196ccf508dfd18414d9
SHA256:	3876920798eb09d4e08654d5eb1c2c1d5760f39a61f32220472362b2ba26adce
Filetype:	HyperText Markup Language (12001/1) 20.69%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{34802B54-610C-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	CD7E98AFD290EA2DE1DD4C3DFB771656	82ECA934B281BF3B088FAD6649E2C6D1077C0B5F	ACDE441CEEE2B2D9B4E1F49C1017DF4F129550195964B69DB7862BA04636DD8C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{34802B56-610C-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	568BE5FDFCFA731003C8584373074717	5FD35F972A704EF3AB0C067604A14A52F02455C9	72BFB4DC4A723E2EB1F6E6DC19B008C7BFA57653F9C1664ACCF0BEAECDAAF158
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{34802B57-610C-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	64B260BFE6F938DB7B6A3906166BC058	DBA52ED505CB8B6A21341D4277D7F9985011506C	CC320B61976B78E9D85BCA0820D8242EBED0EE7A56FA204924348DA0FB580519
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FC81AC46BF2B90E8FCD8D19EA0EC4795	8FE609CB003DDF6902794415447AEB968D805DA7	FA00D38E87631DDD79210CFFDA1AD0A24562FE30679847D204F8BBAED940ABCA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F701070076D0ED2F7C446559AEC24D80	1609CFFEAD5D79D39018D2D32240E9B16C07D682	1608253BDA63F565380700D6AB161BD1114FF3872AC113D415BACC6A090FEA04
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	99124375B3D4AB5BF6212FDACF821C20	5834CB443A353BF07B6CADF451865840258415D3	99BF9D4721C286B35CC4ED66FA6FD8BCDB1CAA0B54C7B5D754552394C9BC0C73
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2E1E04EEAC5E21EF483D60FFA54F80DD	88DF16640F5C2F5E95349195663691DD21BA26F7	8CC2C288E7DA46AE15EAB07DE1A82BE102F73403216BFE98DEF4220147619026
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	01954EA3F90107C6A698C6A5D2CE429C	C32886EC986634EE4CB7129A686F34AEF60C7F48	5896E798E87810B4C303C64D831E82CB61EBAB8A9EE1BD14F60B5242ACD631BD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	65B0F07C88791BC04C31AD4D2EA81831	D12A5DA5C8D3969501751388D8250C048C4E0DBB	717BA9F9A1CF4B8846A3DEF6AE97E3E98287E1DC6E2A0C140C57AAA766238071
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4BCB6716A392FDB4B6C438773B1CBF4F	F827E5F80833A58E1510A5ACFADBA0C54550B7A7	9DECB68FDF2F39325C5E31D0A59F938CA929FD3257DB3F588BC1BFEE19A5D6EF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FC85B9C8433EB1B49B0DE798A572816A	9014E0FFE0BD5D8F181AA974C8D65D2B7AE1BE7A	9A331A01EBD6F57F9D454826DC55BA170FAAAF30E1C76512A91D318D9F8ECAFF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	137F9A1D4036215EE9E88143B3F196D5	68502E731125FCA513A537FE64062C2214633537	B1F6A992268C3F2223995FBCEB151818F209E8D889916A5C6559C32E2F9C3453
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\bootstrap.min[1].css	ASCII text, with very long lines	450FC463B8B1A349DF717056FBB3E078	895125A4522A3B10EE7ADA06EE6503587CBF95C5	2C0F3DCFE93D7E380C290FE4AB838ED8CADFF1596D62697F5444BE460D1F876D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\bootstrap.min[1].js	ASCII text, with very long lines	14D449EB8876FA55E1EF3C2CC52B0C17	A9545831803B1359CFEED47E3B4D6BAE68E40E99	E7ED36CEEE5450B4243BBC35188AFABDFB4280C7C57597001DE0ED167299B01B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-3.1.1.min[1].js	ASCII text, with very long lines	E071ABDA8FE61194711CFC2AB99FE104	F647A6D37DC4CA055CED3CF64BBC1F490070ACBA	85556761A8800D14CED8FCD41A6B8B26BF012D44A318866C0D81A62092EFD9BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-3.2.1.slim.min[1].js	ASCII text, with very long lines	5F48FC77CAC90C4778FA24EC9C57F37D	9E89D1515BC4C371B86F4CB1002FD8E377C1829F	9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\585b051251[1].js	ASCII text, with very long lines	4B900F0AF3BBDA85E1077C8EC8C83831	7E7015965195F25AFA3A47BE2108278AD6A0A4AC	7943D6D067DB8587E9FB675F0D2CC78D6C90C91B187CF8642A3F52FF91381685
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\core.min[1].js	ASCII text, with very long lines, with no line terminators	E9325F1AECE67B8282928D85F07DE758	94C8B9CB36019463170593F85569B607B0722DA3	80D0635FE9783BEC07A43419DEB4E9969BF30A78F008386826C9723B7651F43C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\jquery.min[1].js	ASCII text, with very long lines	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\md5[1].js	ASCII text	349498F298A6E6E6A85789D637E89109	E626C530154C07527ABCFB1F83B9EC578A81B234	97DC67431DBD3360EA838FECAD611A30F540F8389BBD15B89A1E14BA8DBB54AA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\popper.min[1].js	ASCII text, with very long lines	70D3FDA195602FE8B75E0097EED74DDE	C3B977AA4B8DFB69D651E07015031D385DED964B	A52F7AA54D7BCAAFA056EE0A050262DFC5694AE28DEE8B4CAC3429AF37FF0D66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\free-v4-shims.min[1].css	ASCII text, with very long lines	1848E71668F42835079E5FA2AF6CF4A8	6AE345E2FEB8C2A524E7CF9E22A3A87BAEE60593	D7CC3C57F9BDA4C6DCB83BB3C19F2F2AA86ECEC6274E243CD4EC315AE8E30101
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\free.min[1].css	ASCII text, with very long lines	4ECC071B77D6B1790FA9FB8A5173F972	B44FCBAAC4F3AA7381D71DE20064AC84B0B729D1	8C7BBA7DEB64FF95E98F7AC8CD0D3B675A4BCF02F302E57EDC5A1D6FA3D6CF94
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Untitled1[1].jpg	PNG image data, 799 x 502, 8-bit/color RGBA, non-interlaced	8070A602EE62C504688EAAFBB6CDD7D8	FE19A5B99A9791F1E450BEC86B1A99A5BE990179	2E0DB89BE0DB86ED485D0C7505C0EF0FF41D752FB322DEDBAA31FD64DAE4FAE3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\css[1].css	ASCII text	04F7435B2672FBE66984EA436E7087C6	44896875E69B297EB979CC0D3E8522D872656BA8	F9088C15A062F0C7708C3864C5E261A2E4961DFEB0F150DF744FAEC2E3B74AD6
C:\Users\user\AppData\Local\Temp\~DF92CAE777F9950E09.TMP	data	9632FD10F1BE6B3EB793AD218E652F2A	ED9A0439FC12C655E19519C4C23E25CC6ED2DB89	ACEE258BBAC89F457376BD41A8E35D3EAAA29EA6027CD7580BFA42412C903CD8
C:\Users\user\AppData\Local\Temp\~DFFA05A35BBB43BEE5.TMP	data	5D9AF1D31494BE282EF1FAA9AB7A77F3	D73A1CEE2C53CABAC3F4513CB25C44F14BC585D1	361FDF14DBF0C79680C0EF002F60E29E58E9E64FC7A168BE1720F72A7EB08A3E
C:\Users\user\AppData\Local\Temp\~DFFE549B178B65E1B5.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA

Analysis Report #B30COPY.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs