Analysis Report https://archchicago.us7.list-manage.com/track/click?u=32277848bb5b49b8121a67d14&id=54644935c5&e=e7e099342b#Florence.Narine@agf.com

Overview

General Information

Sample URL:	https://archchicago.us7.list-manage.com/track/click?u=32277848bb5b49b8121a67d14&id=54644935c5&e=e7e099342b#Florence.Narine@agf.com
Analysis ID:	345213
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

Phishing site detected (based on logo template match)

Found iframes

HTML body contains low number of good links

No HTML title found

URL contains potential PII (phishing indication)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com

SlashNext: Label: Fake Login Page type: Phishing & Social usering

Phishing:

Phishing site detected (based on favicon image match)

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: 134349.0.links.csv, type: HTML
Source: Yara match	File source: 134349.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm, type: DROPPED

Phishing site detected (based on logo template match)

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	Matcher: Template: microsoft matched
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	Matcher: Template: microsoft matched

Found iframes

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392

HTML body contains low number of good links

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Number of links: 0
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Number of links: 0
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Number of links: 0
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Number of links: 0

No HTML title found

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: HTML title missing
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: HTML title missing
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: HTML title missing
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: HTML title missing

URL contains potential PII (phishing indication)

Source: https://archchicago.us7.list-manage.com/track/click?u=32277848bb5b49b8121a67d14&id=54644935c5&e=e7e099342b#Florence.Narine@agf.com

Sample URL: PII: Florence.Narine@agf.com

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="author".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="author".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="author".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="author".. found

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="copyright".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="copyright".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="copyright".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49738 version: TLS 1.2

Networking:

Source: unknown

DNS traffic detected: queries for: archchicago.us7.list-manage.com

Source: suspendedpage[1].htm.2.dr	String found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
Source: jquery.1.11.min_tu0oeunbyls-a4imj8e0xq2[1].js.2.dr	String found in binary or memory: http://gsgd.co.uk/sandbox/jquery/easing/
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg
Source: imagestore.dat.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~
Source: imagestore.dat.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~(
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_c38fti7z7e0m2csp02b-sa2.js
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_rayhgcterrtxpnvapp3er
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/jquery.1.11.min_tu0oeunbyls-a4imj8e0xq2.js
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo.png
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/0-small_138bcee624fa04ef9b75e86211
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/0_a5dbd4393ff6a725c7e62b61df7e72f0
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://dancevida.com/css/app.css
Source: all[1].css.2.dr	String found in binary or memory: https://fontawesome.com
Source: all[1].css.2.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://fra1.digitaloc
Source: ~DFFC78C53105AF8248.TMP.1.dr	String found in binary or memory: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28
Source: ~DFFC78C53105AF8248.TMP.1.dr	String found in binary or memory: https://fra1.digitaloceanspaces.com/newonenow/E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%2
Source: {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://fra1.digitalocnsdidews32ewdsering/pdansdidewsd32waedsrish?ct=t(Parish_Food_Pantry_1_26_2021_
Source: bootstrap.min[1].js.2.dr, bootstrap.min[2].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: logout[1].htm.2.dr	String found in binary or memory: https://github.com/douglascrockford/JSON-js
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[2].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr, {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28543.10/content/images/backgrounds/0_a5dbd4393ff6a725c7e62b61df7
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28543.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://sms.baptemedelair.fr/vendor/todayzoo.php
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://sustainableinfrastructure.org/wp-content/themes/isi-child/images/waiting.gif
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://use.fontawesome.com/releases/v5.6.1/css/all.css
Source: {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr, ~DFFC78C53105AF8248.TMP.1.dr	String found in binary or memory: https://www.orka.mk/consdidews32ewdsering/pdansdidewsd32waedsrish?ct=t(Parish_Food_Pantry_1_26_2021_

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49738 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal68.phis.win@3/38@14/9

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{42C4481A-6123-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBE004E96809C3348.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Malware Analysis System Evasion:

Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr

Binary or memory string: <P><IMG style="HEIGHT: 54px; WIDTH: 380px" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/4QBaRXhpZgAATU0AKgAAAAgABQMBAAUAAAABAAAASgMDAAEAAAABAAAAAFEQAAEAAAABAQAAAFERAAQAAAABAAAOxFESAAQAAAABAAAOxAAAAAAAAYagAACxj//bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv/AABEIADIBTgMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AP38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACqbeIdATU/7EbXLMXhGfsZuk83H+7nP6V5pe6l4i+IXx61z4W6j4q1Cx0fTtLjnih0uVYHkYrBkO4UsQfNbjI7e+fPP2ofhj4P+Gy6CfCdhJDJeNdG6mluXkaUr5O0ncTjG5umOtOwH01RWF8L5ZJvhp4dmmkZnbQrRmZjkkmFOTW7SAKKK8V+P/7R3iLwL4qHg/wXFah7eJXvLqePzDubkIozgYGMk5OTjjHIB7VRXyH488VXHiHXze/EPxPqUmo/KXttOjAhsMgERqGcZYfxAYwc/MTk17H+z18WNKn02PwR4k+IFrqF952NLkk8xZZYiAQjl1xvByMbmPbnHNcoHrNFFFSAVVvdb0bTbiG01HV7W3luJFSCOa4VWkYnAVQTySeAB1ryz9qG78a3GreFfCPgzXbmzk1i4uIpBBctEr4MOC5XnaNzH6ZrySz8Iz+GfGHhnxdoPie31y3u9aRIbpY5E/0iKRCUYPg91IOeQe1VygfXFFeQfCP41/E7xd4xtdE8b6Xpem29zJNFFD9jmjuJ5I0ZmChnOAu35mIxn5RyePX6kDz39rZmX9lT4mspwR8PdaII7f6DNX4a/bbz/n6k/wC/hr90v2oNI1bxB+zR8RNB0HS7i+vr7wLq9vZ2dnC0k1xM9lKqRoigszMxACgEkkAV+Nf/AAyR+1b/ANGyfEL/AMIu+/8AjVfi3ilhsVXx+HdKEpWi9k318j+svo65hl+DyXHRxNWEG6kbc0kr+70u0ejf8EsLq5k/by8CJJcSMv8AxNOGY/8AQLu65v7Xd/8APzJ/32a9S/4Jr/s7ftBeBP21fBfirxv8CvGWjaXa/wBo/atS1Xwxd29vDu026Rd0kkYVcsyqMnksB1Irn/8Ahmn9o3/ogHjb/wAJW8/+N1+D8fZXmtbIcBGnQm2quIulGTavDDWvZdbO3oz8q+k5iMPjuNMJPCzU4rDxTcWpK/tKml1fXYk/Zrurlv2jPACtcSEHxtpWRuP/AD+RV+u1flr+z5+z58fNF+PfgfWNY+CHjC0s7Txhps11dXXhq6jjhjW6jZndmjAVQASSTgAZNfqVX6z9HjB4zB5Ljo4inKDdSNuZNX93pdI/C8ojKNOV11CodQ1PTtItWvtV1CG1hX701xKEUfUkgVNXgPgj4i+Lfi98VtSGpW9jdeE4Vdry21OFWgtrZchXBI4kPXOeec8KMf0Qeue4aP4m8N+Igx8P+ILG+8v7/wBjukl2/XaTir1eC/FDVLfwb4EsvFn7PC6fbaP9rZNS1Cwh3XCybhtV2cFghPY+qjowB9e+Gni//hPPAemeLWiWN7y3zMq9BIpKuB7blOPagDcooooAqavr+heH4Fude1q0sY2basl5cLGpPoCxHNLY63o2qELpur2txldw8i4V8r68HpXzj+0LYah4q/aGtvCusav9ns52tILSRmysEbhdzYz13lvTPFR+Pfhv4K8AR6g1npvi7Rb3TMnS9anUSW97IDgAPGo8st1ByMd+eKqwH05RXn/7OPxK1L4keAvtGuSeZf6fcG3uJsf60bQVc+5BwfcE969AqQCob7U9O0xY31LUIbcTSCOIzyhN7kEhRk8nAJx14NTV5H+2Z/yS+w/7D0X/AKInoA9czRXl1v8AGfSfhV4D8Gw+JtGu5LPUPD1sUvrXDbJFiTKspx2IOQSTzxxXbeCfiL4N+IdnJe+ENbju1h2+fGFZXi3ZxuVgCM4PscHFAG3RRRQAUUUUAFFFFABRRRQB53F4VfwX8Ztd+LeuXE32LULGO2t47SwluCoCQbnfywSuDEe2MHOR0rzP9rTxz4S8bL4fPhXXYb37ObsXCxZ3Rlv

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.218.111.133	unknown	United States	14618	AMAZON-AESUS	false
23.111.9.35	unknown	United States	33438	HIGHWINDS2US	false
23.227.133.50	unknown	United States	55081	24SHELLSUS	false
192.229.221.185	unknown	United States	15133	EDGECASTUS	false
152.199.23.37	unknown	United States	15133	EDGECASTUS	false
5.101.109.44	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	false
50.87.150.0	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
104.16.19.94	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
dancevida.com	50.87.150.0	true
cs1100.wpc.omegacdn.net	152.199.23.37	true
fra1.digitaloceanspaces.com	5.101.109.44	true
sustainableinfrastructure.org	3.218.111.133	true
cdnjs.cloudflare.com	104.16.19.94	true
fontawesome-cdn.fonticons.netdna-cdn.com	23.111.9.35	true
cs1227.wpc.alphacdn.net	192.229.221.185	true
orka.mk	23.227.133.50	true
stackpath.bootstrapcdn.com	unknown	unknown
logincdn.msauth.net	unknown	unknown
aadcdn.msftauth.net	unknown	unknown
aadcdn.msauth.net	unknown	unknown
use.fontawesome.com	unknown	unknown
www.orka.mk	unknown	unknown
archchicago.us7.list-manage.com	unknown	unknown
login.microsoftonline.com	unknown	unknown
cdn.onenote.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://fra1.digitaloceanspaces.com/newonenow/	false		high
https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	false	SlashNext: Fake Login Page type: Phishing & Social usering	high
https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	false		high

AV Detection:

Antivirus detection for URL or domain

SlashNext: Label: Fake Login Page type: Phishing & Social usering

Phishing:

Phishing site detected (based on favicon image match)

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: 134349.0.links.csv, type: HTML
Source: Yara match	File source: 134349.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm, type: DROPPED

Phishing site detected (based on logo template match)

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	Matcher: Template: microsoft matched
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	Matcher: Template: microsoft matched

Found iframes

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Iframe src: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392

HTML body contains low number of good links

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Number of links: 0
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Number of links: 0
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: Number of links: 0
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: Number of links: 0

No HTML title found

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: HTML title missing
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: HTML title missing
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: HTML title missing
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: HTML title missing

URL contains potential PII (phishing indication)

Source: https://archchicago.us7.list-manage.com/track/click?u=32277848bb5b49b8121a67d14&id=54644935c5&e=e7e099342b#Florence.Narine@agf.com

Sample URL: PII: Florence.Narine@agf.com

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="author".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="author".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="author".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="author".. found

Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="copyright".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="copyright".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#	HTTP Parser: No <meta name="copyright".. found
Source: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%23%5E%28%23%26%28%23%5E%26%23%5E%23%25O%28%23%26%29%28%26%23%23%26%28.html#Florence.Narine@agf.com	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49738 version: TLS 1.2

Networking:

Source: unknown

DNS traffic detected: queries for: archchicago.us7.list-manage.com

Source: suspendedpage[1].htm.2.dr	String found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
Source: jquery.1.11.min_tu0oeunbyls-a4imj8e0xq2[1].js.2.dr	String found in binary or memory: http://gsgd.co.uk/sandbox/jquery/easing/
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg
Source: imagestore.dat.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~
Source: imagestore.dat.2.dr	String found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico~(
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/aad.login.min_c38fti7z7e0m2csp02b-sa2.js
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_rayhgcterrtxpnvapp3er
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/jquery.1.11.min_tu0oeunbyls-a4imj8e0xq2.js
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo.png
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/0-small_138bcee624fa04ef9b75e86211
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/0_a5dbd4393ff6a725c7e62b61df7e72f0
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/personal_account_0f72b5950600f24e7f9a604b186f3
Source: logout[1].htm.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/work_account_1963c6b1926b773986f53f844ce4c32e.
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://dancevida.com/css/app.css
Source: all[1].css.2.dr	String found in binary or memory: https://fontawesome.com
Source: all[1].css.2.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://fra1.digitaloc
Source: ~DFFC78C53105AF8248.TMP.1.dr	String found in binary or memory: https://fra1.digitaloceanspaces.com/newonenow/%5E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28
Source: ~DFFC78C53105AF8248.TMP.1.dr	String found in binary or memory: https://fra1.digitaloceanspaces.com/newonenow/E%25%23%26%23YTJTERTREJHJHEG%23%5E%26%25%26%23%5E%28%2
Source: {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://fra1.digitalocnsdidews32ewdsering/pdansdidewsd32waedsrish?ct=t(Parish_Food_Pantry_1_26_2021_
Source: bootstrap.min[1].js.2.dr, bootstrap.min[2].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: logout[1].htm.2.dr	String found in binary or memory: https://github.com/douglascrockford/JSON-js
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[2].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr, {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28543.10/content/images/backgrounds/0_a5dbd4393ff6a725c7e62b61df7
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28543.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://sms.baptemedelair.fr/vendor/todayzoo.php
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://sustainableinfrastructure.org/wp-content/themes/isi-child/images/waiting.gif
Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr	String found in binary or memory: https://use.fontawesome.com/releases/v5.6.1/css/all.css
Source: {42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat.1.dr, ~DFFC78C53105AF8248.TMP.1.dr	String found in binary or memory: https://www.orka.mk/consdidews32ewdsering/pdansdidewsd32waedsrish?ct=t(Parish_Food_Pantry_1_26_2021_

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.227.133.50:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.150.0:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.218.111.133:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.101.109.44:443 -> 192.168.2.6:49738 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal68.phis.win@3/38@14/9

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{42C4481A-6123-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBE004E96809C3348.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4872 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Malware Analysis System Evasion:

Source: ^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm.2.dr

ID:	345213
Product:	CloudBasic
Start time:	20:41:51
Start date:	27.01.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{42C4481A-6123-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	212A7F9E34C94B707B242D00A83FAAF7	F58D2CCDA7E16668E03CA5F61EEE9023F2E4BD1B	7ED1D6B26C618687BFDE698841A985846DF395CE7143E40BDA27A3D421551F7D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{42C4481C-6123-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	8EF4C86634D437E45FD8F716D811668F	530F500DDF99F63790F7D036C4285708B4914A0B	83F665F3C6E1EABB43E1E907E5FB3E6080E8B0977EF8950AF7E7591089BE7C01
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4A79DAA2-6123-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	937BBB3C2B8F5EEEB182A370E6AFCF70	18BBDB60F78481F5D480E7DB4284A4C6BB8ECEF2	4AF6F2FFBA2D4DB4E5ACADE919C0FD592FFA2FA99ACFE55AD08600B5CBC4EE39
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat	data	91EDE062283FA787C92FC9D7F464346A	99830E255CC6F6015E164FAF4502CE8664C0B2B6	29AE2FED3113F563770FD41FCAB7E946412FD0A3922C73B3A0EB9A0182DBDDD2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\aad.login.min_c38fti7z7e0m2csp02b-sa2[1].js	ASCII text, with very long lines	737F054E2ED9EC4D0CD824A9D3607E48	872F05E28C305DAF3412ADD6D2A2092934BAC847	6B5057E112FA77F6C48B736E66D210A22BB097BA89A93B3D5BF76C51C95EFAD5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\http_403[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	3215E2E80AA8B9FABA83D76AEF71F1B9	C7582D414EE6A1DAE098F6DBBBF68ED9641D0023	D91C22EF6451561F346B8C8BC6F98897E2E5C28135A421EE946800F6C8451B24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\microsoft_logo[1].png	PNG image data, 108 x 24, 8-bit/color RGBA, non-interlaced	ED9C9EB0DCE17D752BEDEA6B5ACDA6D9	ECA56C4904354EED5DA0DEBCD6BD66856AB4784D	F664B8138C2DA6EC7565500A7CC839DA6372614A31DC04C5A2169A26B8D9767C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd[1].svg	SVG Scalable Vector Graphics image	EE5C8D9FB6248C938FD0DC19370E90BD	D01A22720918B781338B5BBF9202B241A5F99EE4	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\suspendedpage[1].htm	HTML document, ASCII text	0357AA49EA850B11B99D09A2479C321B	41472BA5C40F61FA1C77C42CF06248F13B8785F0	0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\waiting[1].gif	GIF image data, version 89a, 256 x 256	8264C9B1C336082653C05481ECA90351	F88FF5D34B144109BF952FA0D039A76204150974	D8EFFEED907DB567F755D4D20995E5728171EA06239BF0A56B48BB4C3830F66E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\0-small_138bcee624fa04ef9b75e86211a9fe0d[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 50x28, frames 3	138BCEE624FA04EF9B75E86211A9FE0D	23BBCDAAEBD6C9A6E57E96E44493B2212860FCAB	F89E908280791803BBF1F33B596FF4A2179B355A8E15AD02EBAA2B1DA11127EA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\all[1].css	ASCII text, with very long lines	B8085BF2C839791244BD95F56FB93C01	9D272F6A226ADC587B4C3E470CC146EDD8C92F75	453893F7DAA3D8FE9716F8C6D0F36F8ADE8CACFC0093E164F4F998B46427959E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\converged.v2.login.min_rayhgcterrtxpnvapp3erg2[1].css	ASCII text, with very long lines	440CA18024DE46B4D73E7540A4FDDE46	C4FF7AF4E1558E081DF52C1E61A5D63D0BE577C7	EA6449D448A48495C557755AF39701567925CEAFC30E06FBA05F65E723C91AA3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\jquery.1.11.min_tu0oeunbyls-a4imj8e0xq2[1].js	UTF-8 Unicode text, with very long lines	4EED281149DBCA5B3E6B820C8FC1345D	FDC2C0D2434BC6F15AD837A07437EB9A67F12BB6	2AE2A2707694A024731738FF4D822FCBD54B7EF7FEF876E8F39F23A64B2EA218
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\jquery.min[1].js	ASCII text, with very long lines	A09E13EE94D51C524B7E2A728C7D4039	0DC32DB4AA9C5F03F3B38C47D883DBD4FED13AAE	160A426FF2894252CD7CEBBDD6D6B7DA8FCD319C65B70468F10B6690C45D02EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\logout[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	DC6D5F45DAA20ECE6A90A001045D0618	EEBD596D8920A7D20FA57A2116F080F9EB151DBC	17F6B8A8B690DCCB145A7570F2C54733E71220F3B487ED609C398CCDD1A087F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\0_a5dbd4393ff6a725c7e62b61df7e72f0[1].jpg	JPEG image data, baseline, precision 8, 1920x1080, frames 3	A5DBD4393FF6A725C7E62B61DF7E72F0	55B292F885FFC92ABCE18750B07AA4ACFA4E903E	211A907DE2DA0FF4A0E90917AC8054E2F35C351180977550C26E51B4909F2BEB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\bootstrap.min[1].css	ASCII text, with very long lines	A15C2AC3234AA8F6064EF9C1F7383C37	6E10354828454898FDA80F55F3DECB347FD9ED21	60B19E5DA6A9234FF9220668A5EC1125C157A268513256188EE80F2D2C8D8D36
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\favicon_a_eupayfgghqiai7k9sol6lg2[1].ico	MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\personal_account_0f72b5950600f24e7f9a604b186f3945[1].png	PNG image data, 51 x 51, 8-bit/color RGBA, non-interlaced	0F72B5950600F24E7F9A604B186F3945	3CCAF80771C291CC03FACD493F8EE9C03F1F238D	0B874F4CCFAC9FF5264F1F7C29C4C016FDE7E4E032512BAC1BB43D145A44EA40
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\work_account_1963c6b1926b773986f53f844ce4c32e[1].png	PNG image data, 51 x 51, 8-bit/color RGBA, non-interlaced	1963C6B1926B773986F53F844CE4C32E	1324FA13FB62D6DCCDCFA258F205C01DA41409B7	9FC929BE7892B2F4498627D22BC1B3990DC380EFCFE40FE6C3CAC2DEA7565C8E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\^%25#&#YTJTERTREJHJHEG#^&%25&#^(#^(#&(#^&#^#%25O(#&)(&##&([1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	83D2C9508714F55B9AD7ACE66385F534	76E2B36A074B39894360CA8A16B34E296CE21477	15EC6C2D284CD75BAD37BB0326CD36A25C6730ADC11038B591A994D79AC58322
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\bootstrap.bundle.min[1].js	ASCII text, with very long lines	A454220FC07088BF1FDD19313B6BFD50	265A733CB7FBC481FD2510A659A85AD55C93C895	7F3145C87D3570154F633975E8A4F8D30AA38603EDABA145501E9C90DDBE186C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\bootstrap.min[1].js	ASCII text, with very long lines	E1D98D47689E00F8ECBC5D9F61BDB42E	6778FED3CF095A318141A31F455C8F4663885BDE	0A34A87842C539C1F4FEEC56BBA982FD596B73500046A6E6FE38A22260C6577B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\bootstrap.min[2].js	ASCII text, with very long lines	67176C242E1BDC20603C878DEE836DF3	27A71B00383D61EF3C489326B3564D698FC1227C	56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\jquery.min[1].js	ASCII text, with very long lines	4F252523D4AF0B478C810C2547A63E19	5A9DCFBEF655A2668E78BAEBEAA8DC6F41D8DABB	668B046D12DB350CCBA6728890476B3EFEE53B2F42DBB84743E5E9F1AE0CC404
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\jquery.min[2].js	ASCII text, with very long lines	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
C:\Users\user\AppData\Local\Temp\~DFBB373337C695D0BC.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DFBE004E96809C3348.TMP	data	B4FCBB53C6926B72E2715B81AF61DC33	1D02484744479968C46C438B4434E8F9146346ED	FFD4D0DC6A4A7810BC1001AE7BE9498F6DD453A48E1F2334EBD2EB81B2CA7D0D
C:\Users\user\AppData\Local\Temp\~DFFC78C53105AF8248.TMP	data	9E3A5B9E2F36CCCFA5B0F08BFC5369B3	E9E5288681A67DEEA43C4570D78382EA6F7D8B37	094710AF1C43FC0CD24DDBE3D6EB65BFD764080EEF29A8B8D1C7792605831F6A

Analysis Report https://archchicago.us7.list-manage.com/track/click?u=32277848bb5b49b8121a67d14&id=54644935c5&e=e7e099342b#Florence.Narine@agf.com

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Malware Analysis System Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs