Analysis Report http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk

Overview

General Information

Sample URL: http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk
Analysis ID: 383899
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected HtmlPhish10
HTML body contains low number of good links
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found
URL contains potential PII (phishing indication)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk Avira URL Cloud: detection malicious, Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
Source: http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk UrlScan: detection malicious, Label: phishing brand: generic generic email Perma Link
Antivirus detection for URL or domain
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/img/middle.png Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/?email=backoffice Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/logo.png Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/loginDialog.js Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/generatedDefaults.js Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/is Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/loginBasic.css Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/bottom.png Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6E Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/?email=backoffice@sampension.dk Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/top.png Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/img/background.png Avira URL Cloud: Label: phishing
Source: http://nlbizsolutions.com/dsswey4464/update/login_files/loginAdvanced.css Avira URL Cloud: Label: phishing

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\hchgukzwr4viyk41vpqmzxrf[1].htm, type: DROPPED
HTML body contains low number of good links
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Number of links: 0
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Number of links: 0
HTML title does not match URL
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Title: Sampension | Sign-in does not match URL
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Title: Sampension | Sign-in does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Has password / email / username input fields
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Has password / email / username input fields
Suspicious form URL found
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Form action: mail.php
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: Form action: mail.php
URL contains potential PII (phishing indication)
Source: http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk Sample URL: PII: backoffice@sampension.dk
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: No <meta name="author".. found
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: No <meta name="author".. found
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: No <meta name="copyright".. found
Source: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 13.32.25.98:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:04:14 GMTServer: nginx/1.19.5Content-Type: text/html; charset=UTF-8Content-Length: 1456Vary: Accept-EncodingContent-Encoding: gzipX-Server-Cache: falseData Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 db 6e 1b 37 10 7d 8e bf 82 60 50 d8 6e 2d ad 6c 25 69 23 6b 85 e6 66 20 40 9d 06 75 f2 56 c0 a0 c8 d9 5d 46 5c 72 43 72 65 c9 6d ff bd 43 ee 45 b2 2c a7 69 a2 07 2d 39 33 9c 39 73 ce 99 16 be 54 b3 83 69 01 4c e0 a7 04 cf 48 e1 7d 35 80 cf b5 5c a6 f4 95 d1 1e b4 1f 7c 58 57 40 09 6f 6e 29 f5 b0 f2 49 78 7a 4e 78 c1 ac 03 9f 7e fc 70 31 f8 85 76 3d 34 2b 21 a5 4b 09 37 95 b1 7e eb e5 8d 14 be 48 05 2c 25 87 41 bc 9c 10 a9 a5 97 4c 0d 1c 67 0a d2 d3 13 52 62 a4 ac cb ad 00 5b 6d 07 c2 18 2f bd 82 d9 15 2b 2b d0 4e 1a 4d fe 26 57 32 d7 03 a9 a7 49 93 3b 98 2a a9 17 c4 82 4a a9 44 00 94 78 dc 02 cf 25 cb c1 25 95 ce 29 71 f2 16 5c 4a 4f 9f fd 78 fa 8c 92 c2 42 96 d2 b0 ff 24 49 5c df 7a 28 16 49 c6 96 a1 c7 10 ff c2 74 c7 ad ac 7c db 30 b2 f1 89 2d 59 13 c5 ae 96 a7 74 98 28 93 4b 7d 9d 49 85 d3 e2 f9 35 6e 69 f2 e1 27 47 67 d3 a4 29 fe 96 5e 39 68 b0 cc 83 78 0d 19 ab 95 77 df dd 51 de 7d 1f 79 6b c8 d8 b3 c5 4b e6 24 1f 72 e7 68 c3 ad f3 6b cc 15 00 9e fe e7 db 17 62 c9 34 07 f1 e0 f3 a4 75 e2 dc 88 75 50 99 cd 15 10 a6 50 d9 94 72 74 10 58 4a e6 c6 0a b0 29 1d a1 af 40 a9 8a 09 21 75 de df 5d c5 78 77 2f 40 e6 05 da ee 74 34 fa 81 92 c6 7c cd 65 76 f0 68 ea 9b 29 8f f0 64 c3 07 bf e2 de b0 9c 1b 65 70 da e3 8b f8 a3 64 d9 56 94 52 08 05 b4 7d 18 81 fe 0f 64 3b 58 62 8f 0e 4e bc d8 1e fc 78 34 6a 4b f6 23 64 7c 91 5b 53 6b 91 d2 3b a2 96 79 b2 c9 0d a3 df f7 61 df 82 bf d5 e9 9b 68 0e 48 bb cd 9e 3f d9 a0 be bb db a3 0d e1 f7 96 b2 a1 11 7a 34 98 22 a5 ed cc 41 8c 4e ce 46 d5 8a de 79 d6 a0 ee 15 e2 f1 f7 f5 c8 4f 7b b0 4f b6 28 de 87 f7 1e e4 16 f5 0e 63 3d 92 2c fe 76 f7 98 90 a7 d5 ea 9c 78 58 f9 41 dc 77 42 1a 11 cf 37 ca 78 53 d1 dd 39 df ef ad 2f 2d b6 e3 b6 a7 a3 dd 37 cd aa 6d d3 b3 d0 73 9a 78 b1 b7 a8 5d 42 41 e6 f7 57 61 cc ee 42 4a f6 60 c2 60 d8 7a 76 30 cd 8c 2d 09 e3 5e 9a e0 5b 26 d5 b0 2a 2a 4a 4a f0 85 41 d6 2b e3 d0 2f da 04 fe 04 f3 48 f6 e6 8c 8b 4c 85 5c 12 89 75 ca e4 e6 42 82 12 bd 28 99 d1 7e e0 e4 2d 4c ce 9e 04 59 a2 76 93 c7 a3 b3 17 a3 37 a3 73 12 d3 37 91 94 c9 dc 28 71 4e 67 57 2f 2e df bf 79 77 f5 f6 f7 77 53 59 e6 b1 ed ea 9a 67 37 d8 d2 f2 94 0e 13 1c 22 f5 75 26 15 b8 70 36 c3 4a e7 14 49 41 5a 2f 11 f9 96 dd 68 cf 37 9e 91 29 84 89 60 1b a5 db a2 f1 78 fc f5 56 c6 7b 07 47 e3 da 84 b4 42 07 d7 6e a9 17 7a ce ee 80 5f ef 05 8f 2e dc c2 de e3 1e 3f 1b 6f 80 9f 8d 3b 89 71 5a 12 e7 34 b3 ba d6 68 e4 69 e3 ef 59 bb d9 2e e4 dd 95 36 db ce f6 e3 3f fb f9 f9 03 43 b9 62 ce 35 73 6b 3a fb e8 c0 6a 56 c2 74 8e 59 a9 ab da f7 a8 3e a3 5b 30 93 d2 05 58 69 ae 6b 4a fc ba c2 2b 94 51 a1 d6 1c bc b6 0e dd a0 cd 40 58 53 9d 13 74 c2 7c 21 fd c0 9b 9a 17 03 ce 94 32 b5 9f a0 ef 34 9c 23 14 d2 17 d4 38 79 e0 40 01 bf 9b 5e 14 be 54 0f 66 4b 73 fb 70 ce 3d 98 32 0f 65 ee 87 29 b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:04:14 GMTServer: nginx/1.19.5Content-Type: application/javascriptContent-Length: 527Last-Modified: Thu, 23 Aug 2018 02:55:56 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipX-Server-Cache: falseData Raw: 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 4f 1b 31 10 bd ef af 18 38 e0 5d d1 b8 44 55 b9 2c cb 21 2d 6a 51 1b 7a 28 3d 21 84 cc ee 78 63 c5 1f 2b db 9b 26 82 fc 77 6c 67 93 d2 40 e9 c5 f2 d8 6f de cc 7b 33 59 c6 7b 5d 7b 61 34 2c ef ea 16 f3 78 aa 02 1e b2 05 b3 e9 49 43 05 8d a9 7b 85 da d3 16 fd 85 c4 78 75 93 d5 15 53 98 93 39 5a 61 ee 94 69 90 14 37 27 b7 e5 2e 51 be 9e 38 59 5d 36 39 49 00 52 94 59 2a 41 17 4c f6 18 f0 84 f7 52 8e 8c 1d 29 a1 05 29 37 3c b4 11 8e dd 4b 6c 02 80 33 e9 b0 84 e1 a3 9e 61 3d 4f ef a9 6d 78 7c 84 7c 57 b2 36 66 2e 90 0a dd e0 f2 07 7f de 68 95 d8 0b 38 a8 60 34 2e 4a 58 67 7f bb 30 4f 2e 98 c1 85 d0 e2 98 9d c6 e6 c8 bb d4 6e 17 ee 1a 7f c3 67 e6 31 0f 12 04 87 3f 09 09 40 1d fa f4 bb 89 da 21 2a e0 18 3e 9c 7e 2c a2 ae 81 72 bf a9 32 5b 67 18 24 fe 97 69 f4 06 53 34 31 31 ed 79 91 7c 8a f0 63 20 25 2e 3b 61 d1 55 24 44 1b 72 6f be 4c af 7f 7a 2b 74 1b 65 ad d3 24 13 6d 48 7c 58 97 7b 2e f1 3c ea 8d e2 0f f2 84 a2 a8 5b a1 11 8e 8e e0 79 4c 9d 33 54 b8 0b 9d 66 58 c4 24 8b be b7 7a 28 91 09 d5 0e 8e 5e 2a d6 6e 2c 55 2d 35 1a ad 35 36 0e 7d 28 bb 2b f8 82 de 19 b9 c0 5f 56 46 c0 5b 3b c7 1d 29 c2 46 04 e6 af d7 d3 ef d1 b6 33 06 33 8b bc 3a 8c 3e fc 93 37 3a 76 78 1e 21 e4 93 d1 5c 58 05 7e 86 50 a3 f5 82 8b 3a 8c 04 78 68 95 69 60 bd 37 2a c4 0d 48 d3 06 a7 bc 01 13 a0 16 be 25 23 59 d7 c9 88 0f 6a 1c 4d 7c 67 ef d9 79 1a d6 7a 2b 5b 1a d6 ec ab 7e 45 94 9b ac ae 98 c2 ed 62 87 76 49 71 73 72 4b 17 4c f6 71 d4 64 1c 69 37 a4 ce d6 e1 e5 85 bc ce 9a fb ad 3c cb 74 93 96 61 ca fc 8c c6 c8 a8 b4 06 4f fc 0a 3a 20 23 04 00 00 Data Ascii: RMO18]DU,!-jQz(=!xc+&wlg@o{3Y{]{a4,xIC{xuS9Zai7'.Q8Y]69IRY*ALR))7<Kl3a=Omx||W6f.h8`4.JXg0O.ng1?@!*>~,r2[g$iS411y|c %.;aU$DroLz+te$mH|X{.<[yL3TfX$z(^*n,U-556}(+_VF[;)F33:>7:vx!\X~P:xhi`7*H%#YjM|gyz+[~EbvIqsrKLqdi7<taO: #
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:04:14 GMTServer: nginx/1.19.5Content-Type: application/javascriptContent-Length: 286Last-Modified: Thu, 23 Aug 2018 02:55:38 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipX-Server-Cache: falseData Raw: 1f 8b 08 00 00 00 00 00 00 03 55 90 4d 6b 83 40 10 86 cf 15 fc 0f 7b 33 a1 69 f0 6c e9 41 74 2b 01 bf 88 eb a5 25 c8 26 6e e3 56 b3 16 d7 44 68 92 ff de 9d d5 36 e9 e5 61 67 de 67 87 61 06 2e ca 76 58 d6 ac e3 2d 7a 41 c3 7d 79 b9 a0 f3 f5 d9 34 74 b5 6c f8 56 09 b7 f7 ff 94 89 3d 17 4c 09 67 d3 90 ac ef b9 d8 4b 07 8a 87 81 6d 0f 94 37 63 71 35 8d eb c2 34 76 ad 90 3d 15 fd a4 f8 98 60 8f 60 bf 08 dd 38 c8 dd 00 3b c8 62 c2 5a e8 e8 d5 cd 43 52 90 55 84 8b b7 24 86 68 16 44 04 3d da b6 63 db 73 14 74 8c 89 86 8a 12 cd 7c 2a 0e b4 ab 65 45 4f 62 3e fd fe 1d 9c 78 6e 88 33 3d f7 e9 28 75 e8 e5 19 49 22 15 05 ab 18 98 14 f9 3a 54 86 0e 5d cf c3 29 f9 5b 48 fd 7c d7 2b e9 c5 36 60 64 79 9a 26 eb fb ad b5 b4 93 20 95 6c 52 6f d4 fd 8f 0e 58 8d 3c 02 79 0f fc a4 40 d1 00 bf 46 ea 7e a7 1d 59 6b 9e 80 df 95 b5 51 47 84 cb ff 00 29 72 be d6 bc 01 00 00 Data Ascii: UMk@{3ilAt+%&nVDh6agga.vX-zA}y4tlV=LgKm7cq54v=``8;bZCRU$hD=cst|*eEOb>xn3=(uI":T])[H|+6`dy& lRoX<y@F~YkQG)r
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:04:14 GMTServer: nginx/1.19.5Content-Type: text/cssContent-Length: 155Last-Modified: Thu, 23 Aug 2018 02:56:40 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipX-Server-Cache: falseData Raw: 1f 8b 08 00 00 00 00 00 00 03 35 8c b1 0a 02 31 10 44 6b 03 f9 87 80 ad 07 a7 58 25 9d 08 87 85 58 5b c9 92 c4 18 c8 65 75 89 1a 11 ff dd 5b bd eb 66 98 f7 66 73 d8 1e d5 5b 0a 8b 09 49 ab 40 f0 32 52 f4 40 21 66 ad 5a a3 a4 f8 48 b1 db 77 0c 3d 3c 95 68 21 35 90 62 18 e6 3e 3a 97 fc c8 48 51 4f f6 9c 99 7b 46 57 2e 5a ad d6 ed b5 f2 3a dd c1 bd a0 f9 c1 73 66 6f 8b 31 10 4b b3 c9 5a b2 35 f4 e2 6b 69 9c b7 48 50 22 66 9d 31 fb bf fd 05 12 c5 41 e0 b5 00 00 00 Data Ascii: 51DkX%X[eu[ffs[I@2R@!fZHw=<h!5b>:HQO{FW.Z:sfo1KZ5kiHP"f1A
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:04:14 GMTServer: nginx/1.19.5Content-Type: text/cssContent-Length: 725Last-Modified: Thu, 23 Aug 2018 02:56:56 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipX-Server-Cache: falseData Raw: 1f 8b 08 00 00 00 00 00 00 03 75 52 5d 8f 9b 30 10 7c 8f 94 ff 60 e5 54 a9 95 e0 0a e4 3e 5a f2 74 a7 bb 53 2b a5 1f 52 93 4a 7d aa 1c bc 01 2b c6 a6 c6 1c c9 55 fd ef b5 b1 09 26 69 c9 03 c4 9e 9d 9d 99 dd e9 84 f2 aa 51 69 d8 c2 66 47 55 88 1b 25 b6 94 31 f4 7b 3a e9 cf 36 62 1f d6 05 26 a2 4d 51 64 7e d5 1e c5 51 64 5e 6d 41 15 20 ca 6b 50 8b e9 e4 cf 74 f2 f1 f3 d7 f5 ca 14 6f 05 57 29 8a e7 1a b4 c2 85 28 71 80 be 83 24 98 eb 8f 1a f3 3a ac 41 d2 ed 02 75 55 f7 5f 1e 7e f4 45 e1 16 97 94 1d 52 34 fb 06 b9 00 b4 fe 38 0b d6 9b 86 ab 26 98 b1 26 a3 04 a3 5c 62 4e 60 16 28 4b ec d1 39 8a 9a be 80 6e 9e 54 7b 7d a2 60 af 7d 31 9a f3 14 65 c0 15 48 d3 75 83 b3 5d 2e 45 c3 49 8a 1a c9 5e d3 32 7f 3b 9c 5d 56 3c 7f 83 24 54 80 95 71 bc 38 ca 0c d0 87 d5 a7 a5 11 5b 00 cd 0b e3 31 8a 5e 39 1f 17 fb 9f d9 96 9b cb 12 cb 9c 72 93 97 49 d4 bd 0c aa a5 44 15 29 9a 47 57 9d b8 be 48 f8 8c c9 7c 44 58 99 bb 0a 13 42 79 1e 2a 51 69 d6 05 d2 cf 70 b8 11 4a 89 32 ed 74 fe cb 58 49 09 61 e0 9b 0a 0f 28 34 03 8c 46 2a 2a b4 ba bb 5f 3e 9a 7e 7e 6a 0c b6 6a d1 35 b4 b6 86 7e ba 7a 90 e1 fe db c7 92 32 91 8b 27 0a 8c f8 16 fa ea e4 7a d4 fc 57 e0 3e a4 01 bb 9c 92 eb c4 71 8e 47 7b d3 95 3a 39 5d 26 89 d5 72 a2 30 ee 70 47 81 1a 84 c6 5d e5 30 ad a1 c8 f9 ea 31 f5 69 20 6e 8d 4e a6 12 5f 9f 96 dd 99 c2 4c 30 21 53 b3 b4 87 7e 1b 09 64 42 62 45 85 e6 e2 82 c3 c9 de fe 27 96 fe 43 f9 bb 32 b7 13 1c c5 a5 97 40 48 02 b2 a3 42 b5 60 94 20 66 e0 4e 83 bd 0d 25 26 b4 a9 35 c5 a8 5f c7 3e 2c 51 e8 e4 5f 44 09 8e c0 2c 58 d6 c8 da 9c 54 82 ba 14 1c a4 2d a8 3a 5a 69 9d be 8d 60 64 68 e9 90 04 cb 5d cd b0 82 5c c2 61 71 96 7f 62 3d 1d 2d da 89 69 ca cd 8e ea 19 54 7a 81 25 e6 19 1c c3 d3 da 2f 8d f6 c6 5f b3 6e 26 b7 c7 91 58 40 80 96 77 f7 8f 4b 83 f3 13 1f 47 f0 7c b6 80 67 12 ad 24 67 47 02 59 9c f3 21 9f 70 f5 70 26 2d b6 98 fe 4c 5a b3 c9 b8 b2 ed ca 44 4d ed b2 48 d0 a9 d1 67 e3 b9 e3 08 e7 be bf 77 ef 0f a8 ab 12 fe 86 c4 57 67 18 26 72 f1 44 81 11 5f 54 6f 2d 8e fa 30 7c 4a b7 cc be c9 9b b1 d4 bd b9 7f 06 a9 68 86 59 88 f5 c2 69 c1 5a a5 e5 5a 2f fd 5e 0c b6 6a c4 70 59 d6 14 6e 6d ab 83 41 ba bc fd a4 4e 60 2f a7 b0 b0 c7 fd 05 a8 39 7a 83 d5 06 00 00 Data Ascii: uR]0|`T>ZtS+RJ}+U&iQifGU%1{:6b&MQd~Qd^mA kPtoW)(q$:AuU_~ER48&&\bN`(K9nT{}`}1eHu].EI^2;]V<$Tq8[1^9rID)GWH|DXBy*QipJ2tXIa(4F**_>~~jj5~z2'zW>qG{:9]&r0pG]01i nN_L0!S~dBbE'C2@HB` fN%&5_>,Q_D,XT-:Zi`dh]\aq
Source: global traffic HTTP traffic detected: GET /dsswey4464/update?email=backoffice@sampension.dk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/?email=backoffice@sampension.dk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-US HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/loginDialog.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/generatedDefaults.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/logo.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/loginBasic.css HTTP/1.1Accept: text/css, */*Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/is HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/loginAdvanced.css HTTP/1.1Accept: text/css, */*Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/top.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/bottom.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/img/background.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /dsswey4464/update/login_files/img/middle.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6EFFCA3F5785DF04D&response_mode=form_post&response_type=code+id_token&scope=openid+profile&email=backoffice@sampension.dk&Connect_Authentication_Properties&&nonce=50086702864b141fa6256f0d6effca3f5785df04d&redirect_uri=&ui_locales=en-US&mkt=en-USAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sampension.dkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: nlbizsolutions.comConnection: Keep-AliveCookie: PHPSESSID=cec25705599582da27675ea0c2b14959
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9a0c8897,0x01d72c5e</date><accdate>0x9a0c8897,0x01d72c5e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9a0c8897,0x01d72c5e</date><accdate>0x9a0c8897,0x01d72c5e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9a114cf1,0x01d72c5e</date><accdate>0x9a114cf1,0x01d72c5e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9a114cf1,0x01d72c5e</date><accdate>0x9a114cf1,0x01d72c5e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9a13af3f,0x01d72c5e</date><accdate>0x9a13af3f,0x01d72c5e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9a13af3f,0x01d72c5e</date><accdate>0x9a13af3f,0x01d72c5e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: nlbizsolutions.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:04:14 GMTServer: nginx/1.19.5Content-Type: text/htmlContent-Length: 462Last-Modified: Tue, 23 Apr 2019 06:55:17 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41|nIPy"4mU1d}{*<g|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs|C^N?!
Source: update[1].htm.3.dr String found in binary or memory: http://nlbizsolutions.com/dsswey4464/update/?email=backoffice
Source: ~DF0A4DF2C8364664C9.TMP.1.dr, {C2FDE60B-9851-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: http://nlbizsolutions.com/dsswey4464/update/hchgukzwr4viyk41vpqmzxrf.php?client_id=64B141FA6256F0D6E
Source: hchgukzwr4viyk41vpqmzxrf[1].htm.3.dr String found in binary or memory: http://sampension.dk/favicon.ico
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 13.32.25.98:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: classification engine Classification label: mal64.phis.win@3/27@3/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2FDE609-9851-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF289FA0CBFC477D32.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383899 URL: http://nlbizsolutions.com/d... Startdate: 08/04/2021 Architecture: WINDOWS Score: 64 15 sampension.dk 2->15 21 Antivirus detection for URL or domain 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 Yara detected HtmlPhish10 2->25 7 iexplore.exe 1 73 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 46 7->9         started        dnsIp6 17 nlbizsolutions.com 108.179.234.125, 49729, 49730, 49731 UNIFIEDLAYER-AS-1US United States 9->17 19 sampension.dk 13.32.25.98, 443, 49735, 49736 ATT-INTERNET4US United States 9->19 13 C:\Users\...\hchgukzwr4viyk41vpqmzxrf[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.179.234.125
 nlbizsolutions.com United States
46606 UNIFIEDLAYER-AS-1US false
13.32.25.98
 sampension.dk United States
7018 ATT-INTERNET4US false

Contacted Domains

Name IP Active
sampension.dk 13.32.25.98 true
nlbizsolutions.com 108.179.234.125 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nlbizsolutions.com/dsswey4464/update?email=backoffice@sampension.dk true
    		unknown
    http://nlbizsolutions.com/dsswey4464/update/login_files/img/middle.png false
    • Avira URL Cloud: phishing
    		 unknown
    http://nlbizsolutions.com/favicon.ico false
    • Avira URL Cloud: safe
    		 unknown
    http://nlbizsolutions.com/dsswey4464/update/login_files/logo.png false
    • Avira URL Cloud: phishing
    		 unknown
    http://sampension.dk/favicon.ico false
      		high
      http://nlbizsolutions.com/dsswey4464/update/login_files/loginDialog.js false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/generatedDefaults.js false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/is false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/loginBasic.css false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/bottom.png false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/?email=backoffice@sampension.dk false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/top.png false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/img/background.png false
      • Avira URL Cloud: phishing
      		 unknown
      http://nlbizsolutions.com/dsswey4464/update/login_files/loginAdvanced.css false
      • Avira URL Cloud: phishing
      		 unknown