Analysis Report https://bms.kaseya.com/Common/GetFile.ashx?enc=v0v3iBf9dJHRtCPkoYKg5wsihzS8jK%2bxLf5aFov4PDai02rukxWdluULr23lV4sTLzOvtuRnCV1xqi7E%2biXfpNb%2b6uvighFcWCFFIQBB8Xk%3d

Overview

General Information

Sample URL:	https://bms.kaseya.com/Common/GetFile.ashx?enc=v0v3iBf9dJHRtCPkoYKg5wsihzS8jK%2bxLf5aFov4PDai02rukxWdluULr23lV4sTLzOvtuRnCV1xqi7E%2biXfpNb%2b6uvighFcWCFFIQBB8Xk%3d
Analysis ID:	356753
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish_10

Classification

Signatures

Phishing:

Yara detected HtmlPhish_10

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\46f3fddd-165c-4cd8-9412-436cd19deef5[1].html, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\46f3fddd-165c-4cd8-9412-436cd19deef5.html.a41uhm1.partial, type: DROPPED

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49744 version: TLS 1.2

Networking:

Source: unknown

DNS traffic detected: queries for: bms.kaseya.com

Source: actions[1].js.6.dr	String found in binary or memory: http://logo.clearbit.com/
Source: popper.min[1].js.6.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.s
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-2ivja-xubozxczt8hkuyvxiwoa4vmtaxu-16djdwpc4/logintenantbrand
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-bo8shd6svfocawg-d1lkuqyily-ch6cw-n5c0rmtwbq/logintenantbrand
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-mg0l7zcxfhbgphoiomweiqgq-z4rxnrzczncff4igy/logintenantbrandi
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-pd-rbmzbvqe7c-fjbigunke9t2gf5jszgqrgsatxfkk/logintenantbrand
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-pglwtvfgjxd-jsxdxcu-ixstqem6dnqipplqonbe8ro/logintenantbrand
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-uhsmbqxf0i-fc4inz9zgqi96xh-agvghl3xbkxk-y7c/logintenantbrand
Source: style[1].css.6.dr	String found in binary or memory: https://aadcdn.msftauthimg.net/dbd5a2dd-xs-ly6aik51q1xmokwuzg7cgil517bv-ngigbudd-ua/logintenantbrand
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.3.1.min.js
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
Source: GetFile[1].htm.3.dr	String found in binary or memory: https://bms.kaseya.com/media/GetFile.ashx?enc=v0v3iBf9dJHRtCPkoYKg5wsihzS8jK%2bxLf5aFov4PDai02rukxWd
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.3.1.slim.min.js
Source: bootstrap.min[1].js.6.dr	String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].js.6.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.6.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: actions[1].js.6.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://manmedia.org/offic/n.page/actions.js
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://manmedia.org/offic/n.page/jqueryLib.js
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://manmedia.org/offic/n.page/style.css
Source: style[1].css.6.dr	String found in binary or memory: https://my.navyfederal.org/NFOAA_Auth/resources/img/css/img-billboard-BG.svg);
Source: style[1].css.6.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-daldttgld72orokijcgtjn9zgk-dhdwrgaphu-0dqka/log
Source: style[1].css.6.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-mg0l7zcxfhbgphoiomweiqgq-z4rxnrzczncff4igy/logi
Source: style[1].css.6.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/dbd5a2dd-pd-rbmzbvqe7c-fjbigunke9t2gf5jszgqrgsatxfkk/log
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8576.13/content/cdnbundles/converged.v2.login.m
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8576.13/content/images/favicon_a_eupayfgghqiai7
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://tuicura.com/offic/next2.php
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://tuicura.com/offic/nexxt.php
Source: 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://www.google.com/s2/favicons?sz=16&domain_url=
Source: actions[1].js.6.dr, 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://www.google.com/s2/favicons?sz=32&domain_url=
Source: actions[1].js.6.dr, 46f3fddd-165c-4cd8-9412-436cd19deef5[1].html.3.dr	String found in binary or memory: https://www.google.com/s2/favicons?sz=64&domain_url=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.6:49744 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal48.phis.win@11/32@9/5

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{835A355E-7633-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF08A6A974461167F6.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5116 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Downloads\46f3fddd-165c-4cd8-9412-436cd19deef5.html
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17412 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17414 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5116 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Downloads\46f3fddd-165c-4cd8-9412-436cd19deef5.html	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17412 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17414 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
204.93.216.87	unknown	United States	23352	SERVERCENTRALUS	false
152.199.23.37	unknown	United States	15133	EDGECASTUS	false
52.144.52.222	unknown	United States	50292	STRATOGENGB	false
104.16.19.94	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
cs1100.wpc.omegacdn.net	152.199.23.37	true
cdnjs.cloudflare.com	104.16.19.94	true
origin-bms.kaseya.com	52.144.52.222	true
manmedia.org	204.93.216.87	true
stackpath.bootstrapcdn.com	unknown	unknown
bms.kaseya.com	unknown	unknown
code.jquery.com	unknown	unknown
aadcdn.msftauth.net	unknown	unknown
ajax.aspnetcdn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	true		low

ID:	356753
Product:	CloudBasic
Start time:	16:01:11
Start date:	23.02.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{835A355E-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	2376B63DD99A21BB38F9BF23ACF1D86C	F3EE9ACBD213872987FA5432050FF271892F187D	D6A1B3F79D7C3407BA8B9B9CD25757A3E5812170895353CE52ED68F68510277F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8DE2B5D7-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	962274CC1F282531B23203E04357D3FF	6DD72F23F4756D263D6B9880C1D8C3B8D49C1801	5109A8E77C833CE179D130F375178104C0DE5B989E86CDC3F2512FD41DB3E4EC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{835A3560-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	FE6D8E055CF9717ED85F88E719780F49	1E2B740098CFA100B8A1102F04976CE25B481195	F5D66DB73B3C4FFD1F6576A80E5A7B4772674184347BC82C0397063F64B1ACB7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8DE2B5D9-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	4CA8594CFF927437BF6C362441A1076E	EF5D5F3EA6921532416F9F11F896F548B5C59521	0A019F360D7F50BED6A4A7167FBB8F259719AD3AD056743C95CE43B3D7F3551B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{99A12787-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	8ECC059DB7B7A31E416156DB10FB5F84	87C27E185997DBDE9CC312AB57EF2B63121D386A	622525EC9D53C63D863BCF423B6CAE7F2BAFD3CB85B1207E6F4BB868FD785FDB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{99A12788-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	1AD682CA83D8C4403BDE9044255EF56F	7C7C3A56DC6F7EAB23051BE9D7808EFFA7AD97C8	04CF35A9D86D9FF37FFC5C0D083E8478E6D499C7DA1987FD8AB71CC9CD8C95B9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A0830FD3-7633-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	5D470E0EFBEB7860B03120EF2857313B	F84CE169B659DDAEC3A17574F845303D9D03E44A	8D3EF8C21AD52E5F6CE7F46FFF8DDD4FA4A256504353495ED9079DEA8FBC5F6E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\favicons[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	3CA64F83FDCF25135D87E08AF65E68C9	B82D0979D555BD137B33C15021129E06CBEEA59A	2E30FF33270FD8687B0EB4D12652BFD967F23975F158BF8DA93BECE2BA4AB947
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\popper.min[1].js	ASCII text, with very long lines	6B08DDC901000D51FA1F06A35518F302	BAFE987C18CBE0587DE3E6360E7DA40A2885614B	02835066969199E9924F1332F7172A5D7E552F023A20C3D8BA03BB6C51CE5BE5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\style[1].css	ASCII text, with CRLF line terminators	3BD33314562B431BB47EF0CCB7ECCC62	93171B5D03DA9D63AC3BA80187159A9F9D5022D6	D95C9920A34DF7714EADB1257094981FDD5A596D2B1C80E3A9278F02D1AEE9A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\46f3fddd-165c-4cd8-9412-436cd19deef5[1].html	HTML document, ASCII text, with very long lines, with CRLF line terminators	99A747B517553FEDEA4E383A3B257FB3	A1CED03F68CAFEEAED72CC4184788109B1500954	FC09B0D19EE905B6CDEC8D0FC94ED424EDBA006BE87F702834D85176E703BE12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\bootstrap.min[1].js	ASCII text, with very long lines	CE6E785579AE4CB555C9DE311D1B9271	5EF2C15B47D7290698C737676BA9C3056B45F2E8	0BCA10549DF770AB6790046799E5A9E920C286453EBBB2AFB0D3055339245339
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\jquery-3.3.1.min[1].js	ASCII text, with very long lines	A09E13EE94D51C524B7E2A728C7D4039	0DC32DB4AA9C5F03F3B38C47D883DBD4FED13AAE	160A426FF2894252CD7CEBBDD6D6B7DA8FCD319C65B70468F10B6690C45D02EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\jquery-3.3.1.slim.min[1].js	ASCII text, with very long lines	99B0A83CF1B0B1E2CB16041520E87641	BC5836992C0B260496BA520FE1336D499BF06EB7	DDE76B9B2B90D30EB97FC81F06CAA8C338C97B688CEA7D2729C88F529F32FBB1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\favicons[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	3CA64F83FDCF25135D87E08AF65E68C9	B82D0979D555BD137B33C15021129E06CBEEA59A	2E30FF33270FD8687B0EB4D12652BFD967F23975F158BF8DA93BECE2BA4AB947
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\jquery.min[1].js	HTML document, UTF-8 Unicode text, with very long lines	DDB84C1587287B2DF08966081EF063BF	9EB9AC595E9B5544E2DC79FFF7CD2D0B4B5EF71F	88171413FC76DDA23AB32BAA17B11E4FFF89141C633ECE737852445F1BA6C1BD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\jqueryLib[1].js	ASCII text, with very long lines, with CRLF line terminators	473957CFB255A781B42CB2AF51D54A3B	67BDACBD077EE59F411109FD119EE9F58DB15A5F	75B707D8761E2BFBD25FBD661F290A4F7FD11C48E1BF53A36DC6BD8A0034FA35
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2_bc3d32a696895f78c19df6c717586a5d[1].svg	SVG Scalable Vector Graphics image	BC3D32A696895F78C19DF6C717586A5D	9191CB156A30A3ED79C44C0A16C95159E8FF689D	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\GetFile[1].htm	HTML document, ASCII text	DF363642D15728BF8801DAE5E826D24D	9C28EDAAD8E14FECF3DB768847272DD8F0163B94	3B093FEF80962FDEEB8325D82429186EAB0E414F53BAD02D657D7637A0C9261E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\actions[1].js	ASCII text, with very long lines, with CRLF line terminators	953786798E6E895D5306E93D7C73D5C6	DC84F8520E2640486837B10D5CF15BAB7355C5F9	F80523F7881DA7D827349D5C1E7615719096944955E0DEC405B811E0CDF274BB
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	4BF3BA8F15C5B85F4FFC3F9E36D6C94F	2606201AED41CDD19376137004631D12CD68222E	98E06F29650EA9B96B9C5781F86242CF85CE9F649AC8949A0B1401D25280666E
C:\Users\user\AppData\Local\Temp\~DF08A6A974461167F6.TMP	data	D5E3C9203893F88011BB962AD80D737A	D9C8BDA90F75DFB38DC788038A00D9D3E7663F22	7B6A02696741F8ECE286CB8949F535E636DA49D5D3F7CE428B86FEA051866F58
C:\Users\user\AppData\Local\Temp\~DF103DA5E400CC909F.TMP	data	2188473FF2C6411DFC9BD09E21CB9BB5	0DC099E00DE056BAEEE659E08C2ACD6377C7CD4A	043BD8C21E5F70C049556B0E26328D1EA16ED7CAB3DA7D81B2159A2407A462B2
C:\Users\user\AppData\Local\Temp\~DF40225EC25177EE78.TMP	data	07B41549DF60666C34AFC8AB44F7D83A	F3EE2B46DD23EF40ECAA7C10D73CED82AD1319A3	E5AF6406B2CBA15562F0CE1DCE3C913908C507B810E6E8DEBB7D149A80571FCD
C:\Users\user\AppData\Local\Temp\~DF53DE5289B795A3FC.TMP	data	549B7989593C55AD479468C6431F9946	A936B593990818CCCBBA8031464537B086BDA31A	DB21E85D96BCE592559BAD8B341858ABB69D2F976CCE1A820F0F80499875CE88
C:\Users\user\AppData\Local\Temp\~DF777BD55EE7EDB1EC.TMP	data	86EBA7C3D482DDB0BB6CB1A9F941078F	6DD7CAE1D4585C12D35FCAB3BEA4736602DF6C1D	29F233433A36B88D5DEB26DADB1BB3032FD4DA7E9D1ED6603224D016A0DED156
C:\Users\user\AppData\Local\Temp\~DF874DF126B3AAC6A6.TMP	data	DE49C55E044A5418CE10304252C27F99	3BF28225F7B2A531B11B71A26624F71417B6BF45	79A0170053D37E856546BB45319120475CD933F309532F7DF616568AF5936E36
C:\Users\user\AppData\Local\Temp\~DFA5536591CEF1A655.TMP	data	9B18CA3CC35B37CECFC610420B5334CC	F095D72BDB6E80738497B4009D24C3AE7E708E40	574D388CECAE463DCA776ED97B3EBB0A05B7436B2B090157B227B234F8B3A0FA
C:\Users\user\Downloads\46f3fddd-165c-4cd8-9412-436cd19deef5.html.a41uhm1.partial	HTML document, ASCII text, with very long lines, with CRLF line terminators	99A747B517553FEDEA4E383A3B257FB3	A1CED03F68CAFEEAED72CC4184788109B1500954	FC09B0D19EE905B6CDEC8D0FC94ED424EDBA006BE87F702834D85176E703BE12
C:\Users\user\Downloads\46f3fddd-165c-4cd8-9412-436cd19deef5.html.a41uhm1.partial:Zone.Identifier	ASCII text, with CRLF line terminators	FBCCF14D504B7B2DBCB5A5BDA75BD93B	D59FC84CDD5217C6CF74785703655F78DA6B582B	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
C:\Users\user\Downloads\46f3fddd-165c-4cd8-9412-436cd19deef5.html:Zone.Identifier	ASCII text, with no line terminators	310DCBBF4CCE62F762A2AAA148D556BD	43814346E21444AAF4F70841BF7ED5AE93F55A9D	556D7DC3A115356350F1F9910B1AF1AB0E312D4B3E4FC788D2DA63668F36D017

Analysis Report https://bms.kaseya.com/Common/GetFile.ashx?enc=v0v3iBf9dJHRtCPkoYKg5wsihzS8jK%2bxLf5aFov4PDai02rukxWdluULr23lV4sTLzOvtuRnCV1xqi7E%2biXfpNb%2b6uvighFcWCFFIQBB8Xk%3d

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs