Analysis Report FAX-MESSAGE201636576736375362.hTMl

Overview

General Information

Sample Name:	FAX-MESSAGE201636576736375362.hTMl
Analysis ID:	356226
MD5:	9c0f59a8ec93478511d689bfb7d9a74a
SHA1:	f35fc0edde9dbe0a9887e947fba8b95c2fad719c
SHA256:	59c6ccf88f60e9255e6886bf2865c45795e97a61bf135f2e125537540c7c71b2
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Classification

Signatures

Phishing:

Phishing site detected (based on favicon image match)

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: FAX-MESSAGE201636576736375362.hTMl, type: SAMPLE
Source: Yara match	File source: 142233.pages.csv, type: HTML

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Title: Sign in to your account does not match URL
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Title: Sign in to your account does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49725 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 152.199.23.37 152.199.23.37
Source: Joe Sandbox View	IP Address: 104.16.18.94 104.16.18.94
Source: Joe Sandbox View	IP Address: 104.16.18.94 104.16.18.94

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: privacystatement[1].htm.2.dr	String found in binary or memory: <ul><li>Sources of personal data: Interactions with users</li><li>Purposes of Processing (Collection and Sharing with Third Parties): Provide our products; product improvement; product development; customer support; and help, secure, and troubleshoot</li><li>Recipients: Service providers and user-directed entities</li></ul></li></ul><p>While the bulleted list above contains the primary sources and purposes of processing for each category of personal data, we also collect personal data from the sources listed in the <a target="_blank" class="mscom-link" href="#mainpersonaldatawecollect">Personal data we collect</a> section, such as developers who create experiences through or for Microsoft products. Similarly, we process all categories of personal data for the purposes described in the <a target="_blank" class="mscom-link" href="#mainhowweusepersonaldatamodule">How we use personal data</a> section, such as meeting our legal obligations, developing our workforce, and doing research.</p><p><strong>Disclosures of personal data for business or commercial purposes</strong>. As indicated in the <a target="_blank" class="mscom-link" href="#mainreasonswesharepersonaldatamodule">Reasons we share personal data</a> section, we share personal data with third parties for various business and commercial purposes. The primary business and commercial purposes for which we share personal data are the purposes of processing listed in the table above. However, we share all categories of personal data for the business and commercial purposes in the <a class="mscom-link" href="#mainreasonswesharepersonaldatamodule">Reasons we share personal data</a> section.</p></span></div><div class="divModuleDescription"><span id="Header13">Advertising</span><span id="navigationHeader13">Advertising</span><span id="moduleName13">mainadvertisingmodule</span><div class="printsummary" style="display: block;">Summary</div><span class="Description" id="ShortDescription13"><p>Advertising allows us to provide, support, and improve some of our products. Microsoft does not use what you say in email, chat, video calls or voice mail, or your documents, photos, or other personal files to target ads to you. We use other data, detailed below, for advertising in our products and on third-party properties. For example:</p><ul><li>Microsoft may use data we collect to select and deliver some of the ads you see on Microsoft web properties, such as <a target="_blank" class="mscom-link" href="https://www.microsoft.com">Microsoft.com</a>, MSN, and Bing.</li><li>When the advertising ID is enabled in Windows 10 as part of your privacy settings, third parties can access and use the advertising ID (much the same way that websites can access and use a unique identifier stored in a cookie) to select and deliver ads in such apps.</li><li>We may share data we collect with partners, such as Verizon Media, AppNexus, or Facebook (see below), so that the ads you see in our products and their products ar
Source: privacystatement[1].htm.2.dr	String found in binary or memory: s <a target="_blank" class="mscom-link" href="https://www.linkedin.com/legal/privacy-policy">Privacy Policy</a>.</p></span></div><div class="divModuleDescription"><span id="Header29">Search, Microsoft Edge, and artificial intelligence</span><span id="navigationHeader29">Search, Microsoft Edge, and artificial intelligence</span><span id="moduleName29">mainsearchaimodule</span><div class="printsummary" style="display: block;">Summary</div><span class="Description" id="ShortDescription29" aria-expanded="false"><p>Search and artificial intelligence products connect you with information and intelligently sense, process, and act on information equals www.linkedin.com (Linkedin)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: s health, oral health, osteoporosis, skin health, sleep, and vision / eye care. We will also personalize ads based on custom, non-sensitive health-related interest categories as requested by advertisers.</li><li><strong>Children and advertising</strong>. We do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 16 years of age.</li><li><strong>Data retention</strong>. For personalized advertising, we retain data for no more than 13 months, unless we obtain your consent to retain the data longer.</li><li><strong>Data sharing</strong>. In some cases, we share with advertisers reports about the data we have collected on their sites or ads.</li></ul><p><strong>Data collected by other advertising companies</strong>. Advertisers sometimes include their own web beacons (or those of their other advertising partners) within their advertisements that we display, enabling them to set and read their own cookie. Additionally, Microsoft partners with third-party ad companies to help provide some of our advertising services, and we also allow other third-party ad companies to display advertisements on our sites. These third parties may place cookies on your computer and collect data about your online activities across websites or online services. These companies currently include, but are not limited to: <a target="_blank" class="mscom-link" href="https://www.appnexus.com/">AppNexus</a>, <a target="_blank" class="mscom-link" href="https://www.facebook.com/help/568137493302217">Facebook</a>, <a target="_blank" class="mscom-link" href="https://www.media.net/adchoices">Media.net</a>, <a target="_blank" class="mscom-link" href="https://my.outbrain.com/recommendations-settings/home">Outbrain</a>, <a target="_blank" class="mscom-link" href="https://www.taboola.com/privacy-policy#user-choices-and-optout">Taboola</a> and <a target="_blank" class="mscom-link" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html">Verizon Media</a>. Select any of the preceding links to find more information on each company's practices, including the choices it offers. Many of these companies are also members of the <a target="_blank" class="mscom-link" href="https://www.networkadvertising.org/managing/opt_out.aspx">NAI</a> or <a target="_blank" class="mscom-link" href="https://www.aboutads.info/choices/">DAA</a>, which each provide a simple way to opt out of ad targeting from participating companies.</p></span></div><div class="divModuleDescription"><span id="Header14">Collection of data from children</span><span id="navigationHeader14">Collection of data from children</span><span id="moduleName14">maincollectionofdatafromchildrenmodule</span><div class="printsummary" style="display: block;">Summary</div><span class="Description" id="ShortDescription14"><p>When a Microsoft product collects age, and there is an age in your jurisdiction under which parental consent or authorization is required to u

Source: unknown

DNS traffic detected: queries for: manmedia.org

Source: icons[1].eot.2.dr	String found in binary or memory: http://fontello.com
Source: icons[1].eot.2.dr	String found in binary or memory: http://fontello.comiconsRegulariconsiconsVersion
Source: 17-f90ef1[1].js.2.dr	String found in binary or memory: http://github.com/requirejs/almond/LICENSE
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: http://logo.clearbit.com/
Source: popper.min[1].js.2.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: privacystatement[1].htm.2.dr	String found in binary or memory: http://www.asp.net/ajaxlibrary/CDN.ashx.
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: http://www.mpegla.com
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: http://www.mpegla.com).
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.s
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-2ivja-xubozxczt8hkuyvxiwoa4vmtaxu-16djdwpc4/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-bo8shd6svfocawg-d1lkuqyily-ch6cw-n5c0rmtwbq/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-mg0l7zcxfhbgphoiomweiqgq-z4rxnrzczncff4igy/logintenantbrandi
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-pd-rbmzbvqe7c-fjbigunke9t2gf5jszgqrgsatxfkk/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-pglwtvfgjxd-jsxdxcu-ixstqem6dnqipplqonbe8ro/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-uhsmbqxf0i-fc4inz9zgqi96xh-agvghl3xbkxk-y7c/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-xs-ly6aik51q1xmokwuzg7cgil517bv-ngigbudd-ua/logintenantbrand
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.3.1.min.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://aka.ms/DPA
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://aka.ms/kinectprivacy/
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/redeemrewards
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/redeemrewards).
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/taxservice
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/useterms
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://code.jquery.com/jquery-3.3.1.slim.min.js
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://developer.yahoo.com/flurry/end-user-opt-out/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protectio
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: app[1].css.2.dr	String found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: actions[1].js.2.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://login.skype.com/login
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://manmedia.org/offic/n.page/actions.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://manmedia.org/offic/n.page/jqueryLib.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://manmedia.org/offic/n.page/style.css
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://mixer.com/about/tos
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://mixer.com/contact
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://mixpanel.com/optout
Source: style[1].css.2.dr	String found in binary or memory: https://my.navyfederal.org/NFOAA_Auth/resources/img/css/img-billboard-BG.svg);
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://ondemand.webtrends.com/support/optout.asp
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://priv-policy.imrworldwide.com/priv/browser/us/en/optout.html
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://privacy.m
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://privacy.micros
Source: style[1].css.2.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-daldttgld72orokijcgtjn9zgk-dhdwrgaphu-0dqka/log
Source: style[1].css.2.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-mg0l7zcxfhbgphoiomweiqgq-z4rxnrzczncff4igy/logi
Source: style[1].css.2.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-pd-rbmzbvqe7c-fjbigunke9t2gf5jszgqrgsatxfkk/log
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8576.13/content/cdnbundles/converged.v2.login.m
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8576.13/content/images/favicon_a_eupayfgghqiai7
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://signin.kissmetrics.com/privacy/#controls
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://skype.com/go/myaccount
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://support.xbox.com/help/family-online-safety/online-safety/manage-online-safety-and-privacy-se
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://support.xbox.com/help/friends-social-activity/community/use-safety-settings
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://tools.google.com/dlpage/gaoptout
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://tuicura.com/offic/next2.php
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://tuicura.com/offic/nexxt.php
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.aboutads.info/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.acuityads.com/opt-out/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.adjust.com/opt-out/
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.adr.org
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.appnexus.com/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.appsflyer.com/optout
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.clicktale.net/disable.html
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.google.com/intl/en_ALL/help/terms_maps.html
Source: FAX-MESSAGE201636576736375362.hTMl, actions[1].js.2.dr	String found in binary or memory: https://www.google.com/s2/favicons?sz=16&domain_url=
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://www.google.com/s2/favicons?sz=32&domain_url=
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.here.com/)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.linkedin.com/legal/privacy-policy
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.microsoft.
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.microsoft.s/Desktop/FAX-MESSAGE201636576736375362.hTMl
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.optimizely.com/legal/opt-out/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.privacyshield.gov/welcome
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com).
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/allrates
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/legal
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/legal.broadcast
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/store.reactivate.credit
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/ustax
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/Legal/ThirdPartyDataSharing
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/en-US/Legal/CodeOfConduct
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/en-US/Legal/CodeOfConduct)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/legal/codeofconduct
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/managedatacollection
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/xbox-game-studios
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/xbox-game-studios)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.youradchoices.ca
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.youradchoices.ca/fr
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.youronlinechoices.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: classification engine

Classification label: mal56.phis.winHTML@3/44@8/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2D14E88B-7589-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0D97FEC405499157.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6260 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6260 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
204.93.216.87	unknown	United States	23352	SERVERCENTRALUS	false
152.199.23.37	unknown	United States	15133	EDGECASTUS	false
104.16.18.94	unknown	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
cs1100.wpc.omegacdn.net	152.199.23.37	true
cdnjs.cloudflare.com	104.16.18.94	true
manmedia.org	204.93.216.87	true
stackpath.bootstrapcdn.com	unknown	unknown
secure.aadcdn.microsoftonline-p.com	unknown	unknown
code.jquery.com	unknown	unknown
aadcdn.msftauth.net	unknown	unknown
assets.onestore.ms	unknown	unknown
ajax.aspnetcdn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	true		low

Phishing:

Phishing site detected (based on favicon image match)

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: FAX-MESSAGE201636576736375362.hTMl, type: SAMPLE
Source: Yara match	File source: 142233.pages.csv, type: HTML

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Title: Sign in to your account does not match URL
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Title: Sign in to your account does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/FAX-MESSAGE201636576736375362.hTMl	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49725 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 152.199.23.37 152.199.23.37
Source: Joe Sandbox View	IP Address: 104.16.18.94 104.16.18.94
Source: Joe Sandbox View	IP Address: 104.16.18.94 104.16.18.94

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: privacystatement[1].htm.2.dr	String found in binary or memory: <ul><li>Sources of personal data: Interactions with users</li><li>Purposes of Processing (Collection and Sharing with Third Parties): Provide our products; product improvement; product development; customer support; and help, secure, and troubleshoot</li><li>Recipients: Service providers and user-directed entities</li></ul></li></ul><p>While the bulleted list above contains the primary sources and purposes of processing for each category of personal data, we also collect personal data from the sources listed in the <a target="_blank" class="mscom-link" href="#mainpersonaldatawecollect">Personal data we collect</a> section, such as developers who create experiences through or for Microsoft products. Similarly, we process all categories of personal data for the purposes described in the <a target="_blank" class="mscom-link" href="#mainhowweusepersonaldatamodule">How we use personal data</a> section, such as meeting our legal obligations, developing our workforce, and doing research.</p><p><strong>Disclosures of personal data for business or commercial purposes</strong>. As indicated in the <a target="_blank" class="mscom-link" href="#mainreasonswesharepersonaldatamodule">Reasons we share personal data</a> section, we share personal data with third parties for various business and commercial purposes. The primary business and commercial purposes for which we share personal data are the purposes of processing listed in the table above. However, we share all categories of personal data for the business and commercial purposes in the <a class="mscom-link" href="#mainreasonswesharepersonaldatamodule">Reasons we share personal data</a> section.</p></span></div><div class="divModuleDescription"><span id="Header13">Advertising</span><span id="navigationHeader13">Advertising</span><span id="moduleName13">mainadvertisingmodule</span><div class="printsummary" style="display: block;">Summary</div><span class="Description" id="ShortDescription13"><p>Advertising allows us to provide, support, and improve some of our products. Microsoft does not use what you say in email, chat, video calls or voice mail, or your documents, photos, or other personal files to target ads to you. We use other data, detailed below, for advertising in our products and on third-party properties. For example:</p><ul><li>Microsoft may use data we collect to select and deliver some of the ads you see on Microsoft web properties, such as <a target="_blank" class="mscom-link" href="https://www.microsoft.com">Microsoft.com</a>, MSN, and Bing.</li><li>When the advertising ID is enabled in Windows 10 as part of your privacy settings, third parties can access and use the advertising ID (much the same way that websites can access and use a unique identifier stored in a cookie) to select and deliver ads in such apps.</li><li>We may share data we collect with partners, such as Verizon Media, AppNexus, or Facebook (see below), so that the ads you see in our products and their products ar
Source: privacystatement[1].htm.2.dr	String found in binary or memory: s <a target="_blank" class="mscom-link" href="https://www.linkedin.com/legal/privacy-policy">Privacy Policy</a>.</p></span></div><div class="divModuleDescription"><span id="Header29">Search, Microsoft Edge, and artificial intelligence</span><span id="navigationHeader29">Search, Microsoft Edge, and artificial intelligence</span><span id="moduleName29">mainsearchaimodule</span><div class="printsummary" style="display: block;">Summary</div><span class="Description" id="ShortDescription29" aria-expanded="false"><p>Search and artificial intelligence products connect you with information and intelligently sense, process, and act on information equals www.linkedin.com (Linkedin)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: s health, oral health, osteoporosis, skin health, sleep, and vision / eye care. We will also personalize ads based on custom, non-sensitive health-related interest categories as requested by advertisers.</li><li><strong>Children and advertising</strong>. We do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 16 years of age.</li><li><strong>Data retention</strong>. For personalized advertising, we retain data for no more than 13 months, unless we obtain your consent to retain the data longer.</li><li><strong>Data sharing</strong>. In some cases, we share with advertisers reports about the data we have collected on their sites or ads.</li></ul><p><strong>Data collected by other advertising companies</strong>. Advertisers sometimes include their own web beacons (or those of their other advertising partners) within their advertisements that we display, enabling them to set and read their own cookie. Additionally, Microsoft partners with third-party ad companies to help provide some of our advertising services, and we also allow other third-party ad companies to display advertisements on our sites. These third parties may place cookies on your computer and collect data about your online activities across websites or online services. These companies currently include, but are not limited to: <a target="_blank" class="mscom-link" href="https://www.appnexus.com/">AppNexus</a>, <a target="_blank" class="mscom-link" href="https://www.facebook.com/help/568137493302217">Facebook</a>, <a target="_blank" class="mscom-link" href="https://www.media.net/adchoices">Media.net</a>, <a target="_blank" class="mscom-link" href="https://my.outbrain.com/recommendations-settings/home">Outbrain</a>, <a target="_blank" class="mscom-link" href="https://www.taboola.com/privacy-policy#user-choices-and-optout">Taboola</a> and <a target="_blank" class="mscom-link" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html">Verizon Media</a>. Select any of the preceding links to find more information on each company's practices, including the choices it offers. Many of these companies are also members of the <a target="_blank" class="mscom-link" href="https://www.networkadvertising.org/managing/opt_out.aspx">NAI</a> or <a target="_blank" class="mscom-link" href="https://www.aboutads.info/choices/">DAA</a>, which each provide a simple way to opt out of ad targeting from participating companies.</p></span></div><div class="divModuleDescription"><span id="Header14">Collection of data from children</span><span id="navigationHeader14">Collection of data from children</span><span id="moduleName14">maincollectionofdatafromchildrenmodule</span><div class="printsummary" style="display: block;">Summary</div><span class="Description" id="ShortDescription14"><p>When a Microsoft product collects age, and there is an age in your jurisdiction under which parental consent or authorization is required to u

Source: unknown

DNS traffic detected: queries for: manmedia.org

Source: icons[1].eot.2.dr	String found in binary or memory: http://fontello.com
Source: icons[1].eot.2.dr	String found in binary or memory: http://fontello.comiconsRegulariconsiconsVersion
Source: 17-f90ef1[1].js.2.dr	String found in binary or memory: http://github.com/requirejs/almond/LICENSE
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: http://logo.clearbit.com/
Source: popper.min[1].js.2.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: privacystatement[1].htm.2.dr	String found in binary or memory: http://www.asp.net/ajaxlibrary/CDN.ashx.
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: http://www.mpegla.com
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: http://www.mpegla.com).
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.s
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-2ivja-xubozxczt8hkuyvxiwoa4vmtaxu-16djdwpc4/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-bo8shd6svfocawg-d1lkuqyily-ch6cw-n5c0rmtwbq/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-mg0l7zcxfhbgphoiomweiqgq-z4rxnrzczncff4igy/logintenantbrandi
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-pd-rbmzbvqe7c-fjbigunke9t2gf5jszgqrgsatxfkk/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-pglwtvfgjxd-jsxdxcu-ixstqem6dnqipplqonbe8ro/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-uhsmbqxf0i-fc4inz9zgqi96xh-agvghl3xbkxk-y7c/logintenantbrand
Source: style[1].css.2.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-xs-ly6aik51q1xmokwuzg7cgil517bv-ngigbudd-ua/logintenantbrand
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.3.1.min.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://aka.ms/DPA
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://aka.ms/kinectprivacy/
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/redeemrewards
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/redeemrewards).
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/taxservice
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://aka.ms/useterms
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://code.jquery.com/jquery-3.3.1.slim.min.js
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://developer.yahoo.com/flurry/end-user-opt-out/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protectio
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: app[1].css.2.dr	String found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: actions[1].js.2.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://login.skype.com/login
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://manmedia.org/offic/n.page/actions.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://manmedia.org/offic/n.page/jqueryLib.js
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://manmedia.org/offic/n.page/style.css
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://mixer.com/about/tos
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://mixer.com/contact
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://mixpanel.com/optout
Source: style[1].css.2.dr	String found in binary or memory: https://my.navyfederal.org/NFOAA_Auth/resources/img/css/img-billboard-BG.svg);
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://ondemand.webtrends.com/support/optout.asp
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://priv-policy.imrworldwide.com/priv/browser/us/en/optout.html
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://privacy.m
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://privacy.micros
Source: style[1].css.2.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-daldttgld72orokijcgtjn9zgk-dhdwrgaphu-0dqka/log
Source: style[1].css.2.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-mg0l7zcxfhbgphoiomweiqgq-z4rxnrzczncff4igy/logi
Source: style[1].css.2.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-pd-rbmzbvqe7c-fjbigunke9t2gf5jszgqrgsatxfkk/log
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8576.13/content/cdnbundles/converged.v2.login.m
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8576.13/content/images/favicon_a_eupayfgghqiai7
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://signin.kissmetrics.com/privacy/#controls
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://skype.com/go/myaccount
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://support.xbox.com/help/family-online-safety/online-safety/manage-online-safety-and-privacy-se
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://support.xbox.com/help/friends-social-activity/community/use-safety-settings
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://tools.google.com/dlpage/gaoptout
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://tuicura.com/offic/next2.php
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://tuicura.com/offic/nexxt.php
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.aboutads.info/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.acuityads.com/opt-out/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.adjust.com/opt-out/
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.adr.org
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.appnexus.com/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.appsflyer.com/optout
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.clicktale.net/disable.html
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.google.com/intl/en_ALL/help/terms_maps.html
Source: FAX-MESSAGE201636576736375362.hTMl, actions[1].js.2.dr	String found in binary or memory: https://www.google.com/s2/favicons?sz=16&domain_url=
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://www.google.com/s2/favicons?sz=32&domain_url=
Source: FAX-MESSAGE201636576736375362.hTMl	String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.here.com/)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.linkedin.com/legal/privacy-policy
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.microsoft.
Source: {2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.microsoft.s/Desktop/FAX-MESSAGE201636576736375362.hTMl
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.optimizely.com/legal/opt-out/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.privacyshield.gov/welcome
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com).
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/allrates
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/legal
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/legal.broadcast
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/store.reactivate.credit
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.skype.com/go/ustax
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/Legal/ThirdPartyDataSharing
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/en-US/Legal/CodeOfConduct
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/en-US/Legal/CodeOfConduct)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/legal/codeofconduct
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/managedatacollection
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/xbox-game-studios
Source: servicesagreement[1].htm.2.dr	String found in binary or memory: https://www.xbox.com/xbox-game-studios)
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.youradchoices.ca
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.youradchoices.ca/fr
Source: privacystatement[1].htm.2.dr	String found in binary or memory: https://www.youronlinechoices.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: classification engine

Classification label: mal56.phis.winHTML@3/44@8/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2D14E88B-7589-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0D97FEC405499157.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6260 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6260 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

ID:	356226
Product:	CloudBasic
Start time:	19:41:52
Start date:	22.02.2021
Sample:	FAX-MESSAGE201636576736375362.hTMl
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9c0f59a8ec93478511d689bfb7d9a74a
SHA1:	f35fc0edde9dbe0a9887e947fba8b95c2fad719c
SHA256:	59c6ccf88f60e9255e6886bf2865c45795e97a61bf135f2e125537540c7c71b2

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2D14E88B-7589-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	C164E86B17DC53B24079F43FD55DF9B5	F38C361313269F38CD1290669AFA9255F7A6707D	B1EC6CCCA4A881019C3E0A5D4D48C7F8C6285BD632614A226619D2DFEF1ED8D0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2D14E88D-7589-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	FF688F17831634397C046193C5C0FD0F	0718E671888BA1250F52DF913E604DB1C5324EB0	08DD2F01979FE0E98DEA6CC6E900574B9FEF6CD2D8084DC662E1D5C333EADC72
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2D14E88E-7589-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	244782B02CE18222A50B62B25B27396C	5461E2B4E38036A12C64D1C7E2CCFAF29E7ACD8C	02C7744ADFA03545E12D829F6216F48632A8EC0BF068B07089B00E69E86E25F8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat	data	2AE68499E1110783D8C391DE19658C81	1A65493892734376034A9EC619AB6B1B5C3FD42D	C370CF1F263AAF411D70334D2EA67C258A7B016CB12DD7AE7E847CCCD571A742
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\arrow_px_up[1].gif	GIF image data, version 89a, 7 x 9	95B65C94F57061E15ECC8304D3E578D5	A7483D668A780949FDA842F39877A3C08D0FC51C	BDA2D6EB8E72B3DBCA5EEF086178033F8A2BB3481180B2C63295FCF23843D960
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-1.7.2.min[1].js	HTML document, UTF-8 Unicode text, with very long lines	B8D64D0BC142B3F670CC0611B0AEBCAE	ABCD2BA13348F178B17141B445BC99F1917D47AF	47B68DCE8CB6805AD5B3EA4D27AF92A241F4E29A5C12A274C852E4346A0500B4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jqueryLib[1].js	ASCII text, with very long lines, with CRLF line terminators	473957CFB255A781B42CB2AF51D54A3B	67BDACBD077EE59F411109FD119EE9F58DB15A5F	75B707D8761E2BFBD25FBD661F290A4F7FD11C48E1BF53A36DC6BD8A0034FA35
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\latest[1].eot	Embedded OpenType (EOT), Segoe UI Light family	17DFE73CB9C64527F7248B0A24DB317D	345198B9239FCDAF038FB2D3A919E4724037DBAA	AD75FB92B2EBCE6C37640F03E1AB96A752F388BCE60C877ADE4780B13839E8C4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\latest[1].woff	Web Open Font Format, TrueType, length 35900, version 0.0	70C1D43A35B7A48D088D830EA07FCF77	025E0E281139C70C5538E09BFA7927141AF0CC0B	942E5DD201200674506B0DF50C1AFEF021FFF6D5BD7BB7F600DED8617DBCB386
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\mwfmdl2-v3.54[1].woff	Web Open Font Format, TrueType, length 26288, version 0.0	D0263DC03BE4C393A90BDA733C57D6DB	8A032B6DEAB53A33234C735133B48518F8643B92	22B4DF5C33045B645CAFA45B04685F4752E471A2E933BFF5BF14324D87DEEE12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\print-icon[1].png	PNG image data, 16 x 16, 8-bit/color RGB, non-interlaced	023F5AC6E0114AF1F781BE5D3C956385	C166284B8541F1DE32DC5C4DEC635C296BF85C98	75D637BF6B6DFF2525095D0BE7E0C90F012BB118C2EF19099AFDCBC630ADFC79
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\servicesagreement[1].htm	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	2C1875DED4C999744722E139C8BBC7A3	B4169A10F8F9401ADED061D73610054619F8953C	8D896E2FD51415AB83E866D211A02227CD8993596C8B54673060C4AE2EA17218
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\style[1].css	ASCII text, with CRLF line terminators	3BD33314562B431BB47EF0CCB7ECCC62	93171B5D03DA9D63AC3BA80187159A9F9D5022D6	D95C9920A34DF7714EADB1257094981FDD5A596D2B1C80E3A9278F02D1AEE9A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\RE1Mu3b[1].png	PNG image data, 216 x 46, 8-bit/color RGBA, non-interlaced	9F14C20150A003D7CE4DE57C298F0FBA	DAA53CF17CC45878A1B153F3C3BF47DC9669D78F	112FEC798B78AA02E102A724B5CB1990C0F909BC1D8B7B1FA256EAB41BBC0960
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bootstrap.min[1].js	ASCII text, with very long lines	CE6E785579AE4CB555C9DE311D1B9271	5EF2C15B47D7290698C737676BA9C3056B45F2E8	0BCA10549DF770AB6790046799E5A9E920C286453EBBB2AFB0D3055339245339
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\favicons[1].png	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	93D092004CFAF8ACAC6BB50770CE1A50	9189B8D8A779D96EBE9B4B90A20B80360496B496	CC6CC2AEA055BDA1D2E6651A480B1133A39EB908DD42BF977BA82E787A55CB91
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\icons[1].eot	Embedded OpenType (EOT), icons family	77E1987DF3A0274C5A51E3C55CEE7C98	9B0FE96AF141AB09183F386F65BC627B8C396460	EF04649D4D068673CF0FA47EF4C45C8BE291E703F4EC5FC0E507F17839120AA2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\jquery-1.11.2.min[1].js	ASCII text, with very long lines	5790EAD7AD3BA27397AEDFA3D263B867	8130544C215FE5D1EC081D83461BF4A711E74882	2ECD295D295BEC062CEDEBE177E54B9D6B19FC0A841DC5C178C654C9CCFF09C0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\jquery-3.3.1.slim.min[1].js	ASCII text, with very long lines	99B0A83CF1B0B1E2CB16041520E87641	BC5836992C0B260496BA520FE1336D499BF06EB7	DDE76B9B2B90D30EB97FC81F06CAA8C338C97B688CEA7D2729C88F529F32FBB1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\latest[1].eot	Embedded OpenType (EOT), Segoe UI family	CAD76E4816AF6890C9BFD02A6D1EA899	9EDC91541C31034FCE0D83AABBAAD4C314CD3D33	D5794223D1A062E5DBE6C34C1994C8CE3792B24AFD5218D0644CB1F53DA4BE58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\override[1].css	ASCII text, with very long lines, with CRLF line terminators	A570448F8E33150F5737B9A57B6D889A	860949A95B7598B394AA255FE06F530C3DA24E4E	0BD288D5397A69EAD391875B422BF2CBDCC4F795D64AA2F780AFF45768D78248
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\privacystatement[1].htm	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	1AC234014F0DEC871387CAEA0E81A6A7	638BBE7030041918E0D6048BBC3B4784FB5AE4D1	0C250EDD6730A5526388BDFCF839764885D872D3FDF4BD0CD49DCE9B2951F3A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\wcp-consent[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	38B769522DD0E4C2998C9034A54E174E	D95EF070878D50342B045DCF9ABD3FF4CCA0AAF3	208EDBED32B2ADAC9446DF83CAA4A093A261492BA6B8B3BCFE6A75EFB8B70294
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\17-f90ef1[1].js	ASCII text, with very long lines	D567746F6D3BABF05ACF7A63730AC2CB	DDB8B9E24115D9653C432C1C2A3C57E0F881AFEB	F4DF01A10175F31D0620AE8AA24854DF0D8DCB0C752E8465376B2ED3DEF62DE0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\2_bc3d32a696895f78c19df6c717586a5d[1].svg	SVG Scalable Vector Graphics image	BC3D32A696895F78C19DF6C717586A5D	9191CB156A30A3ED79C44C0A16C95159E8FF689D	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\actions[1].js	ASCII text, with very long lines, with CRLF line terminators	953786798E6E895D5306E93D7C73D5C6	DC84F8520E2640486837B10D5CF15BAB7355C5F9	F80523F7881DA7D827349D5C1E7615719096944955E0DEC405B811E0CDF274BB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\app[1].css	ASCII text, with very long lines, with CRLF, LF line terminators	7C593B06759DB6D01614729D206738D6	0D4F76D10944933B8DDECFFE9691081439A77A3C	F7D9FB0479DE843CF3FB0B78FC56BBB9E30BF0A238C6F79D9209FA8B22EFB574
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\b5-6bb6f8[1].css	UTF-8 Unicode text, with very long lines	32498183608C049E806B05A773254B29	D624684F4E69B3591D95668ECE18E20FE4040211	ABEA64D238E5567C9A33C0CFD0F0E86DB83B705CBCA4E20A4417CFD341BA7725
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\favicon[1].ico	MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\favicon[2].ico	MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\script[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	633B23CA8A850C508C146635DB4239F5	CF78DA53BD7561F3ACB33710016ECBF60E9F0204	DAA1677D2640BE8A77F6C69EEE3911D2F8CF81DAA7BB604800A2D63A8F130C95
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\shell.min[1].css	UTF-8 Unicode text, with very long lines, with no line terminators	1F9995AB937AC429A73364B4390FF6E8	81998DCC6407CEB5CEF236AD52B9F2A3A9528D3B	49E5166F40D8586714F86E08AB76A977199DF979357147A0E81980A804151C2A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Print[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	B8E8859FCD4E43D51233559C17A3C7BD	F0CA023F26A84761995FA0BF6935DE6A3B8AE6F8	DC15A37B4015D0DECF639006E4F9002E742DDBFD7C669EC0AE469057F238B78D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery-3.3.1.min[1].js	ASCII text, with very long lines	A09E13EE94D51C524B7E2A728C7D4039	0DC32DB4AA9C5F03F3B38C47D883DBD4FED13AAE	160A426FF2894252CD7CEBBDD6D6B7DA8FCD319C65B70468F10B6690C45D02EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery.min[1].js	HTML document, UTF-8 Unicode text, with very long lines	DDB84C1587287B2DF08966081EF063BF	9EB9AC595E9B5544E2DC79FFF7CD2D0B4B5EF71F	88171413FC76DDA23AB32BAA17B11E4FFF89141C633ECE737852445F1BA6C1BD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\latest[1].eot	Embedded OpenType (EOT), Segoe UI Semibold family	E812BA8B7E2A657F2B70CFACE93C7682	2F02CDDBB483F9B11BBBE74C3CA917A4C345FBAD	3330C1DEAC468874238DD0C6BF902179A8731EDA8A208C7D01DAC0AB1EAE1BC9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\popper.min[1].js	ASCII text, with very long lines	6B08DDC901000D51FA1F06A35518F302	BAFE987C18CBE0587DE3E6360E7DA40A2885614B	02835066969199E9924F1332F7172A5D7E552F023A20C3D8BA03BB6C51CE5BE5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\script[1].js	ASCII text, with very long lines, with no line terminators	B110D87662D257F657ABCCEF7AF5CD09	FD7519D842B6344448E6F1D69DFFA5F896FAE4A6	65E82E7414D88BC864191400084C24DA27052E7A61F9F3C1F1EFDFEE433D558C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\script[2].js	ASCII text, with very long lines, with no line terminators	79493518F253F3F74970CF43C8A3FEEE	E0CC16264EA44A55C17766A5E0F0F4DB7DD8AAF2	BD041981B6512D6DA32A6AE752EFE67DD0BA22FACFA9A534B0F5B08651B7852A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\style[1].css	UTF-8 Unicode text, with very long lines, with no line terminators	D0519383C16A2B2D2879BFBF15845F0C	B2FBBC365B2CA853B1CBEAAA0F10BB05148ED9AA	046BA9FDD7992751785036A03AB6EDD3052465C23C2BAD1ADC80905DC6AA39A9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\style[2].css	ASCII text, with very long lines, with no line terminators	2AC383F4677A1036C8EA4289F99A31E3	E65967B9273029CDDD5A5F8DF9E61DACF89CF11C	2206A95E6BAC7C185CC54638EBF0B0089CBC27FF729B45AC63C968CFE4991AA4
C:\Users\user\AppData\Local\Temp\~DF0D97FEC405499157.TMP	data	F04C19378B5EB9CEE9C11612F48DD488	B3293DE91A619E9766C8FDA66F732E4F480125F9	BA75EC911B595E1F90F6EB277EE35CBFC8E3FA212F7ABC9906692E458AEAADFF
C:\Users\user\AppData\Local\Temp\~DF912E71454DA88AEA.TMP	data	4AEEFB359B944A1E4B0F30F3BD9FD717	C155EB03488180BD7F7D854E63579F7BCC14CBC5	9466A21E55A2DF19F5CD8E6439CDAA7F6A94C65B337C335E6EC870D3CF6F3CAF
C:\Users\user\AppData\Local\Temp\~DFF1E70D0A41546C24.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA

Analysis Report FAX-MESSAGE201636576736375362.hTMl

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs