Play interactive tour

Edit tour

Analysis Report https://goldenislesskincare.com/office365/index.php

Overview

General Information

Sample URL:	https://goldenislesskincare.com/office365/index.php
Analysis ID:	385431
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Phishing site detected (based on image similarity)

Phishing site detected (based on logo template match)

HTML body contains low number of good links

HTML title does not match URL

Classification

Startup

System is w10x64

iexplore.exe (PID: 2548 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2548 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\login[1].htm	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: https://goldenislesskincare.com/office365/index.php

UrlScan: detection malicious, Label: phishing brand: microsoft

Perma Link

Antivirus detection for URL or domain

Show sources

Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: https://goldenislesskincare.com/office365/login.php#	UrlScan: Label: phishing brand: microsoft	Perma Link
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	UrlScan: Label: phishing brand: microsoft	Perma Link

Phishing:

Phishing site detected (based on favicon image match)

Show sources

Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish10

Show sources

Source: Yara match	File source: 936905.0.links.csv, type: HTML
Source: Yara match	File source: 936905.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\login[1].htm, type: DROPPED

Phishing site detected (based on image similarity)

Show sources

Source: https://goldenislesskincare.com/office365/assets/images/logo.svg	Matcher: Found strong image similarity, brand: Microsoft			Jump to dropped file
Source: https://goldenislesskincare.com/office365/assets/images/background.jpg	Matcher: Found strong image similarity, brand: Microsoft			Jump to dropped file

Phishing site detected (based on logo template match)

Show sources

Source: https://goldenislesskincare.com/office365/login.php#	Matcher: Template: microsoft matched
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Matcher: Template: microsoft matched

Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: Number of links: 0
Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: Number of links: 0
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: Number of links: 0
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: Number of links: 0

Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: Title: Sign in to your Microsoft account does not match URL

Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: No <meta name="author".. found
Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: No <meta name="author".. found
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: No <meta name="author".. found
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: No <meta name="author".. found

Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: No <meta name="copyright".. found
Source: https://goldenislesskincare.com/office365/login.php#	HTTP Parser: No <meta name="copyright".. found
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: No <meta name="copyright".. found
Source: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 64.187.225.237:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.187.225.237:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.187.225.237:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: unknown

DNS traffic detected: queries for: goldenislesskincare.com

Source: popper.min[1].js.4.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: login[1].htm.4.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: login[1].htm.4.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js
Source: bootstrap.min[1].css.4.dr, bootstrap.min[1].js.4.dr	String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].css.4.dr, bootstrap.min[1].js.4.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.4.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: imagestore.dat.4.dr	String found in binary or memory: https://goldenislesskincare.com/office365/assets/images/favicon.ico
Source: imagestore.dat.4.dr	String found in binary or memory: https://goldenislesskincare.com/office365/assets/images/favicon.ico~
Source: imagestore.dat.4.dr	String found in binary or memory: https://goldenislesskincare.com/office365/assets/images/favicon.ico~(
Source: ~DFF4F623BDEC391A40.TMP.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/index.php
Source: {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/index.phpRoot
Source: {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/index.phpncare.com/office365/login.phpRoot
Source: {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.p=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&
Source: {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.pd1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679
Source: ~DFF4F623BDEC391A40.TMP.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.php
Source: ~DFF4F623BDEC391A40.TMP.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.php#=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737
Source: {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnhp
Source: ~DFF4F623BDEC391A40.TMP.2.dr, {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.67
Source: {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	String found in binary or memory: https://goldenislesskincare.com/office365/login.phpncare.com/office365/login.php#wa=wsignin1.0&rpsnv
Source: login[1].htm.4.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css
Source: login[1].htm.4.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 64.187.225.237:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.187.225.237:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.187.225.237:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: classification engine

Classification label: mal80.phis.win@3/18@4/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B20509A-9BD2-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB5A58295C3633009.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2548 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2548 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://goldenislesskincare.com/office365/index.php	0%	Virustotal		Browse
https://goldenislesskincare.com/office365/index.php	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/index.php	100%	UrlScan	phishing brand: microsoft	Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
goldenislesskincare.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	100%	SlashNext	Fake Login Page type: Phishing & Social Engineering
https://goldenislesskincare.com/office365/login.php#	100%	UrlScan	phishing brand: microsoft	Browse
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	100%	UrlScan	phishing brand: microsoft	Browse
https://goldenislesskincare.com/office365/index.phpncare.com/office365/login.phpRoot	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/assets/images/favicon.ico	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.php	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.pd1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/assets/images/favicon.ico~(	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.p=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnhp	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.67	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.php#=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/login.phpncare.com/office365/login.php#wa=wsignin1.0&rpsnv	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/index.phpRoot	0%	Avira URL Cloud	safe
https://goldenislesskincare.com/office365/assets/images/favicon.ico~	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdnjs.cloudflare.com	104.16.18.94	true	false		high
maxcdn.bootstrapcdn.com	104.18.10.207	true	false		high
goldenislesskincare.com	64.187.225.237	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://goldenislesskincare.com/office365/login.php#	true	100%, UrlScan, Browse	unknown
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	true	100%, UrlScan, Browse SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://goldenislesskincare.com/office365/index.phpncare.com/office365/login.phpRoot	{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	true	Avira URL Cloud: safe	unknown
https://goldenislesskincare.com/office365/assets/images/favicon.ico	imagestore.dat.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/twbs/bootstrap/graphs/contributors)	bootstrap.min[1].js.4.dr	false		high
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js	login[1].htm.4.dr	false		high
https://goldenislesskincare.com/office365/login.php	~DFF4F623BDEC391A40.TMP.2.dr	false	Avira URL Cloud: safe	unknown
https://goldenislesskincare.com/office365/login.pd1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679	{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	login[1].htm.4.dr	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css	login[1].htm.4.dr	false		high
https://goldenislesskincare.com/office365/assets/images/favicon.ico~(	imagestore.dat.4.dr	false	Avira URL Cloud: safe	unknown
https://github.com/twbs/bootstrap/blob/master/LICENSE)	bootstrap.min[1].css.4.dr, bootstrap.min[1].js.4.dr	false		high
https://goldenislesskincare.com/office365/login.p=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&	{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	false	Avira URL Cloud: safe	unknown
http://opensource.org/licenses/MIT).	popper.min[1].js.4.dr	false		high
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnhp	{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	true	Avira URL Cloud: safe	unknown
https://getbootstrap.com/)	bootstrap.min[1].css.4.dr, bootstrap.min[1].js.4.dr	false		high
https://goldenislesskincare.com/office365/index.php	~DFF4F623BDEC391A40.TMP.2.dr	true		unknown
https://goldenislesskincare.com/office365/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.67	~DFF4F623BDEC391A40.TMP.2.dr, {1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	true	Avira URL Cloud: safe	unknown
https://goldenislesskincare.com/office365/login.php#=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737	~DFF4F623BDEC391A40.TMP.2.dr	true	Avira URL Cloud: safe	unknown
https://goldenislesskincare.com/office365/login.phpncare.com/office365/login.php#wa=wsignin1.0&rpsnv	{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	false	Avira URL Cloud: safe	unknown
https://goldenislesskincare.com/office365/index.phpRoot	{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat.2.dr	true	Avira URL Cloud: safe	unknown
https://goldenislesskincare.com/office365/assets/images/favicon.ico~	imagestore.dat.4.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
64.187.225.237	goldenislesskincare.com	United States	46261	QUICKPACKETUS	false
104.18.10.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
104.16.18.94	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385431
Start date:	12.04.2021
Start time:	13:59:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://goldenislesskincare.com/office365/index.php
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.phis.win@3/18@4/3
Cookbook Comments:	Adjust boot time Enable AMSI Browsing link: https://goldenislesskincare.com/office365/login.php#
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 92.122.145.220, 88.221.62.148, 172.217.168.74, 13.64.90.137, 92.122.144.200, 20.82.209.183, 152.199.19.161 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, arc.msn.com.nsatc.net, ajax.googleapis.com, ie9comview.vo.msecnd.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B20509A-9BD2-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8571460605195123
Encrypted:	false
SSDEEP:	192:r8ZzZz2dWztJ3ifJ3w3+xMu3w3lc3w32c303Lfc303yMX:r8VK0xK07OLf
MD5:	235E5B89939C706028045641C14A570E
SHA1:	E3D4C2646FD8F1975A41D70DFB719EEA4728AFAA
SHA-256:	83D1AC5705C1FAC4052F79BA7FBB0394E5E9EECD2A8D611B0C1DF745C432A61A
SHA-512:	6E4E9F28C6E34453C976C2B5595155F704BDB5602ADB067B8994CFD672610649594E7A12B56E8069E44AA741D1279CA7496969C6F938491CDF7BE967E2632228
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1B20509C-9BD2-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	47038
Entropy (8bit):	2.362961760193627
Encrypted:	false
SSDEEP:	384:riSKu9gJhu1yObHbSbqtbkbybFbrbBbEbbGH1b+:O
MD5:	7FCDD662A6C74C7DB3F274D558473C7C
SHA1:	7C9A6B0692F85D73E0E700B9F35116FD1399C891
SHA-256:	A6369DE9B199D8078BC1C8D9538694080ABA9732910EB05E39F6EE0C2A75010F
SHA-512:	BBAFB1E69C35C7BCFF6A7AFBD56089EF7983717DC97C0B2EFA3B84D2A026ACD7D889362893E542AF0663AF1670AD86B219411E2BE63DC0A2DFCD2372D3A5A823
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1B20509D-9BD2-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5663137351246859
Encrypted:	false
SSDEEP:	48:IwdrGcprTAGwpadEG4pQf2GrapbS3GQpKFG7HpRCZTGIpG:rHZcQS6wBSBA0TCfA
MD5:	C731FE517AEB46AC98F9331952E24B4C
SHA1:	4379E9A01D0DC7FB22CB8A4DBF7C56038AF7F0DF
SHA-256:	A7C1BDE62777371865875F87523302D1A0E8579ABFE7120C37E1B3ED411FA04A
SHA-512:	5AAC63E40145F57109D0DE2A244B5ABAD873314D46231B9ACFAFFF4A9466A908438E1774C0B808B58B4F3AC40857A4574E5CDAD5B41DDDD6C90A43BD55BC3300
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	18236
Entropy (8bit):	3.089563976041644
Encrypted:	false
SSDEEP:	48:Y5Vgt5VgI5Vgw5Vgtgyyyyyyyyyyyyy55VgDU5VgGQQQQQJ:sItl0NfQQQQQJ
MD5:	81DB11B46127012D9B04435A3FE488C1
SHA1:	0BADCA112E68E8B33574CE7ABCB029A2AF1C2087
SHA-256:	7B20DB063037533833CFB49F9AA98A9A609C85103AEE51907C206905827E22C6
SHA-512:	F3ADCA92EE9A8CF81BA2E2502B650CA927B786DF0DD7F3949C0E32E3BB4AB4D944156ADF5830BFA326F4B32101EE8D0B8B922AC72D2D2096513DA0A0B04F99F7
Malicious:	false
Reputation:	low
Preview:	C.h.t.t.p.s.:././.g.o.l.d.e.n.i.s.l.e.s.s.k.i.n.c.a.r.e...c.o.m./.o.f.f.i.c.e.3.6.5./.a.s.s.e.t.s./.i.m.a.g.e.s./.f.a.v.i.c.o.n...i.c.o.~(................h(......(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""""""

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\background[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, baseline, precision 8, 1920x1080, frames 3
Category:	downloaded
Size (bytes):	283351
Entropy (8bit):	7.975896455873056
Encrypted:	false
SSDEEP:	6144:hPgRhluS12CyK8XGsLzsr5XONnQ4/bEmhZSIj6xU2zyOX/:2vz1pyWsLoXqN/YWPUU2OOX/
MD5:	A5DBD4393FF6A725C7E62B61DF7E72F0
SHA1:	55B292F885FFC92ABCE18750B07AA4ACFA4E903E
SHA-256:	211A907DE2DA0FF4A0E90917AC8054E2F35C351180977550C26E51B4909F2BEB
SHA-512:	850586A05B67EF25492BD50A090F1EC0A0CC21DC4E4EFEB35E19CDC78A98F9415A3807318FA02664EADE87F0E2D8FA2A2958CD0D712329800FC05689E01DC614
Malicious:	false
Reputation:	low
IE Cache URL:	https://goldenislesskincare.com/office365/assets/images/background.jpg
Preview:	.....Phttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=""/> </rdf:RDF> </x:xmpmeta>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\ellipsis_white[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	915
Entropy (8bit):	3.877322891561989
Encrypted:	false
SSDEEP:	24:t4CvnAVRf83f1QqCSzGUdiHTVtpRduf1QqCWbVHTVeUV0Uv6f1QqCWbVHTVeUV0W:fnL1QqC4GuiHFXS1QqCWRHQ3V1QqCWRV
MD5:	5AC590EE72BFE06A7CECFD75B588AD73
SHA1:	DDA2CB89A241BC424746D8CF2A22A35535094611
SHA-256:	6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
SHA-512:	B9135D934B9EA50B51BB0316E383B114C8F24DFE75FEF11DCBD1C96170EA59202F6BAFE11AAF534CC2F4ED334A8EA4DBE96AF2504130896D6203BFD2DA69138F
Malicious:	false
Reputation:	low
IE Cache URL:	https://goldenislesskincare.com/office365/assets/images/ellipsis_white.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><title>assets</title><path fill="#ffffff" d="M1.143,6.857a1.107,1.107,0,0,1,.446.089,1.164,1.164,0,0,1,.607.607,1.161,1.161,0,0,1,0,.893,1.164,1.164,0,0,1-.607.607,1.107,1.107,0,0,1-.446.089A1.107,1.107,0,0,1,.7,9.054a1.164,1.164,0,0,1-.607-.607,1.161,1.161,0,0,1,0-.893A1.164,1.164,0,0,1,.7,6.946a1.107,1.107,0,0,1,.446-.089M8,6.857a1.107,1.107,0,0,1,.446.089,1.164,1.164,0,0,1,.607.607,1.161,1.161,0,0,1,0,.893,1.164,1.164,0,0,1-.607.607,1.161,1.161,0,0,1-.893,0,1.164,1.164,0,0,1-.607-.607,1.161,1.161,0,0,1,0-.893,1.164,1.164,0,0,1,.607-.607A1.107,1.107,0,0,1,8,6.857m6.857,0a1.107,1.107,0,0,1,.446.089,1.164,1.164,0,0,1,.607.607,1.161,1.161,0,0,1,0,.893,1.164,1.164,0,0,1-.607.607,1.161,1.161,0,0,1-.893,0,1.164,1.164,0,0,1-.607-.607,1.161,1.161,0,0,1,0-.893,1.164,1.164,0,0,1,.607-.607A1.107,1.107,0,0,1,14.857,6.857Z"/></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bootstrap.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	140936
Entropy (8bit):	5.058262383051032
Encrypted:	false
SSDEEP:	1536:un1QWSUPBT+QYYDnDEBi82NcuSEz/NvT/gIENM6HN26e:q1L7PDxYIENM6HN26e
MD5:	04ACA1F4CD3EC3C05A75A879F3BE75A3
SHA1:	675FCF28F9FBF37139D3B2C0B676F96F601A4203
SHA-256:	7928B5AB63C6E89EE0EE26F5EF201A58C72BAF91ABB688580A1AA26EB57B3C11
SHA-512:	890415FA75ED065992DD7883AED98BFBDFD9FA26EEC7E62EA30263238ADCA4EECD6204F37D33A214D9B4F645AD7D9CC407D7D0E93C0E55CF251555A8A05B83FF
Malicious:	false
Reputation:	low
IE Cache URL:	https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css
Preview:	/!. Bootstrap v4.1.3 (https://getbootstrap.com/). * Copyright 2011-2018 The Bootstrap Authors. * Copyright 2011-2018 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). /:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace},::after,::before{box-sizing:border-box}h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bootstrap.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	51039
Entropy (8bit):	5.247253437401007
Encrypted:	false
SSDEEP:	768:E9Yw7GuJM+HV0cen/7Kh5rM7V4RxCKg8FW/xsXQUd+FiID65r48Hgp5HRl+:E9X7PMIM7V4R5LFAxTWyuHHgp5HRl+
MD5:	67176C242E1BDC20603C878DEE836DF3
SHA1:	27A71B00383D61EF3C489326B3564D698FC1227C
SHA-256:	56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
SHA-512:	9FA75814E1B9F7DB38FE61A503A13E60B82D83DB8F4CE30351BD08A6B48C0D854BAF472D891AF23C443C8293380C2325C7B3361B708AF9971AA0EA09A25CDD0A
Malicious:	false
Reputation:	low
IE Cache URL:	https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Preview:	/!. Bootstrap v4.1.3 (https://getbootstrap.com/). * Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors). * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery"),require("popper.js")):"function"==typeof define&&define.amd?define(["exports","jquery","popper.js"],e):e(t.bootstrap={},t.jQuery,t.Popper)}(this,function(t,e,h){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable\|\|!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function l(r){for(var t=1;t<arguments.length;t++){var o=null!=arguments[t]?arguments[t]:{},e=Object.keys(o);"function"==typeof Object.getOwnPropertySymbols&&(e=e.concat(Object.getOwnPropertySymbols(o).filter(function(t){return Object.getOwnPropertyDescriptor(o,t).enum

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\index[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.280667511657908
Encrypted:	false
SSDEEP:	3:gn3oONz/nVZGc7b:63HnVZGYb
MD5:	52145482C54E01965498BA29C5663DEF
SHA1:	768727DEA70749808298FB8D6B6673B1BC8AB187
SHA-256:	98B9853069073BF3E403B40CCD5359408C9DE05CDC5F990CB41AA5DB0F3A08AE
SHA-512:	E5A224C291A1F321A3B0DEF448E9ED5AFBB77BBDC36A4B94878723D8ABF67DA30E33F43A91E1CF7093FBB7963C8F3D78CC0DEB07F1FC4B98677B7538CEABBC1D
Malicious:	false
Reputation:	low
Preview:	<script>window.location = 'login.php';</script>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\login[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text
Category:	dropped
Size (bytes):	2765
Entropy (8bit):	4.946781761783556
Encrypted:	false
SSDEEP:	24:hYhz/wHRdjMG38dLNVXf1L0ZuNVLNV4NtHfg77DhRvAdKXAh1iSAeptGXrRAV2d4:C8lf2bAzNxfgh6oXMme7GG2uZ80D
MD5:	B745EC1F12F6E15E16D9B8AFFF76C616
SHA1:	7276F7ABEA2F66C707E9DDEE2932A0C78C954805
SHA-256:	2BE3EDAA000D8CF4860FDE1E500A25E89B32E65C883682968F93E3527C585C87
SHA-512:	A9A8F133B98F7A37965D616787A2CD07ED35B9679771690AD3CA48BFC38D4A7D1BC659772D3B7B012F1B956C2F82CE8B235DAC9EA13A4F7DF1A76280AC6793E4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_10, Description: Yara detected HtmlPhish_10, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\login[1].htm, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <title>Sign in to your Microsoft account</title>. <meta charset="utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1">. <link rel="shortcut icon" href="assets/images/favicon.ico">. <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css">. <link rel="stylesheet" href="assets/css/login.css">. <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>. <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js"></script>. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js"></script>.</head>.<body>. .<div class="container-fluid">. <div class="row d-flex align-items-center">. <div class="col-lg-4 col-md-4 col-xs-12 mx-auto">. <div class="card">. <div class="card-body">. <img src="assets/images/logo.svg">.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\logo[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	3651
Entropy (8bit):	4.094801914706141
Encrypted:	false
SSDEEP:	96:wO4DZ+Stb/jY+eo4hAryAes9mBYYQgWLDm9:wToSBjlevudl9nO
MD5:	EE5C8D9FB6248C938FD0DC19370E90BD
SHA1:	D01A22720918B781338B5BBF9202B241A5F99EE4
SHA-256:	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
SHA-512:	C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE253D88B1B1FF60901F053113C5D7C1919852D58
Malicious:	false
Reputation:	low
IE Cache URL:	https://goldenislesskincare.com/office365/assets/images/logo.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0,0,1,.419-.967,1.413,1.413,0,0,1,1-.39,1.392,1.392,0,0,1,1.02.4,1.3,1.3,0,0,1,.4.958,1.248,1.248,0,0,1-.414.953,1.428,1.428,0,0,1-1.01.385A1.4,1.4,0,0,1,47.25,6.6a1.261,1.261,0,0,1-.409-.948M49.41,18.4H47.081V8.507H49.41Zm7.064-1.694a3.213,3.213,0,0,0,1.145-.241,4.811,4.811,0,0,0,1.155-.635V18a4.665,4.665,0,0,1-1.266.481,6.886,6.886,0,0,1-1.554.164,4.707,4.707,0,0,1-4.918-4.908,5.641,5.641,0,0,1,1.4-3.932,5.055,5.055,0,0,1,3.955-1.545,5.414,5.414,0,0,1,1.324.168,4.431,4.431,0,0,1,1.063.39v2.233a4.763,4.763,0,0,0-1.1-.611,3.184,3.184,0,0,0-1.15-.217,2.919,2.919,0,0,0-2.223.9,3.37,3.37,0,0,0-.847,2.416,3.216,3.216,0,0,0,.813,2.338,2.936,2.936,0,0,0,2.209.837M65.4,8.343a2.952,2.952,0,0,1,.5.039,2.1,2.1,0,0,1,.375.1v2.358a2.04,2.04,0,0,0-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors
Category:	downloaded
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:	24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
Reputation:	low
IE Cache URL:	https://goldenislesskincare.com/office365/assets/images/favicon.ico
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\popper.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	20337
Entropy (8bit):	5.215593959725368
Encrypted:	false
SSDEEP:	384:fYn0vf4wzTC9nNbR1PTM4CrBEQxkxpOxvYLmD75zfC5vIfg3rzGp/TidOgHhXjE9:w0vAwzTC/nM4BxpOxv/D7pC5vfzy/TiE
MD5:	83FB8C4D9199DCE0224DA0206423106F
SHA1:	D8503645C17F9856868A7DEF3DC0505E19A95EC7
SHA-256:	F7CBC01A310318DEFD4E31E4616543E2CF3BAEF5A47562C73ECE4C0B716F157E
SHA-512:	95D735B0FBB5159F2C9A0920A7E1F09D8C956F57919F6C0498AAC383526A3C46F4DBE122E243730C843453087400954B4058C9A16C06FBBEB8C7BD33CB94EFE0
Malicious:	false
Reputation:	low
IE Cache URL:	https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js
Preview:	/. Copyright (C) Federico Zivolo 2018. Distributed under the MIT License (license terms are at http://opensource.org/licenses/MIT).. /(function(e,t){'object'==typeof exports&&'undefined'!=typeof module?module.exports=t():'function'==typeof define&&define.amd?define(t):e.Popper=t()})(this,function(){'use strict';function e(e){return e&&'[object Function]'==={}.toString.call(e)}function t(e,t){if(1!==e.nodeType)return[];var o=getComputedStyle(e,null);return t?o[t]:o}function o(e){return'HTML'===e.nodeName?e:e.parentNode\|\|e.host}function n(e){if(!e)return document.body;switch(e.nodeName){case'HTML':case'BODY':return e.ownerDocument.body;case'#document':return e.body;}var i=t(e),r=i.overflow,p=i.overflowX,s=i.overflowY;return /(auto\|scroll\|overlay)/.test(r+s+p)?e:n(o(e))}function r(e){return 11===e?re:10===e?pe:re\|\|pe}function p(e){if(!e)return document.documentElement;for(var o=r(10)?document.body:null,n=e.offsetParent;n===o&&e.nextElementSibling;)n=(e=e.nextElementSibling).offsetParent

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	86927
Entropy (8bit):	5.289226719276158
Encrypted:	false
SSDEEP:	1536:jLiBdiaWLOczCmZx6+VWuGzQNOzdn6x2RZd9SEnk9HB96c9Yo/NWLbVj3kC6t3:5kn6x2xe9NK6nC69
MD5:	A09E13EE94D51C524B7E2A728C7D4039
SHA1:	0DC32DB4AA9C5F03F3B38C47D883DBD4FED13AAE
SHA-256:	160A426FF2894252CD7CEBBDD6D6B7DA8FCD319C65B70468F10B6690C45D02EF
SHA-512:	F8DA8F95B6ED33542A88AF19028E18AE3D9CE25350A06BFC3FBF433ED2B38FEFA5E639CDDFDAC703FC6CAA7F3313D974B92A3168276B3A016CEB28F27DB0714A
Malicious:	false
Reputation:	low
IE Cache URL:	https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Preview:	/! jQuery v3.3.1 \| (c) JS Foundation and other contributors \| jquery.org/license /.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t\|\|r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?l[c.call(e)]\|\|"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\login[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1965
Entropy (8bit):	4.646756006993403
Encrypted:	false
SSDEEP:	24:Uw9P6AoJHaUaktwIcuo5A4yTa9KFxIdSFidYir/bFF/EnFw1eC5Ah+C5ncAvDKTa:UyaFtwperFidYe/JF/A2V5Ah75cAvGTa
MD5:	B8C8C2DD60E847A55847F9469A138078
SHA1:	936BA10971C42CB21C1733E9D18577D9705FC32C
SHA-256:	35C946CBC580E838B6B3255EE94576AD8C31A741AF87EE42A9FC27CCDB852F54
SHA-512:	026C1DA6CD7EAEB5339F1DE0C6D63D855CC7753B113B1093796C30B2663C9579908C362E6F92F1D4304F035D3AD8A5DE24961DED522A93AA85726255E304112B
Malicious:	false
Reputation:	low
IE Cache URL:	https://goldenislesskincare.com/office365/assets/css/login.css
Preview:	body {.. background: url('../images/background.jpg') no-repeat fixed center;..}...row {.. height: 100vh;..}...card {.. padding: 25px;.. border-radius: 0;..}...card-body > img,...card-body > h4 {.. margin-bottom: 20px;..}...form-control {.. border-top: none;.. border-left: none;.. border-right: none;.. border-radius: unset;.. border-bottom: 1px solid rgba(0,0,0,.6);.. padding-left: 0;.. transition: 0.2s ease all; .. -moz-transition: 0.2s ease all; .. -webkit-transition: 0.2s ease all;..}...form-control:focus {.. box-shadow: unset;..}...form-control::placeholder {.. color: rgba(0,0,0,.6);.. font-size: 16px;..}..input:invalid {.. box-shadow: none;.. -moz-box-shadow: none;..}...form-group > p {.. font-size: 14px;.. margin-top: 15px;.. margin-bottom: 70px;..}...form-group > p > a {.. text-decoration: none;..}...btn {.. width: 120px;.. background: #0067b8;.. color: #fff;.. border-radius: 0;..}...footer {.. po

C:\Users\user\AppData\Local\Temp\~DF39D4EBCCA584C79D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB5A58295C3633009.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4802481359498798
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fRg9l8fRw9lTqFsnXf:c9lLh9lLh9lIn9lIn9log9low9lWmP
MD5:	13FF70D9E690FD7B0788FF69A57353CA
SHA1:	979C325361783F4260DF529271CF8E6C14D97CCD
SHA-256:	73D209BD023D16A2CF47716A52D673412CD142979884C02510BD547A9B970850
SHA-512:	BE256A2BEBB03323007B457B9CFCFBC891912E9A97BF928ADB5C5512A87A46EF7F040835608A41E052B8291C580521E7BF6493800B6BA0725561449996D1BEA7
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF4F623BDEC391A40.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	56041
Entropy (8bit):	0.9744403907386884
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+vRT6hGQx4hbybqtbkbybXbubwXbskb:
MD5:	8B560FDC2C8589B672D37D09959D3B19
SHA1:	122D2433063C04CAE202030D4E4BBDBC08E5C321
SHA-256:	BDFDBBE8131A60060A457EF0FE9A74048BA6D875EB798145F4936282D2134FE9
SHA-512:	BD88BE1EC3E71771974CFDB963B139D2A77986ED66499BAFF659F377AE783DCA76CC7E2BD705A83AA335EAC790CDAA25FDB14A08C6E1D69DBEBB6799EB5DF993
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:00:28.879657030 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:28.880152941 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.016208887 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.016310930 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.016474962 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.016567945 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.022253036 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.022464991 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.159702063 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.159774065 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.161335945 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.161421061 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.161451101 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.161464930 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.161489010 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.161503077 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.161552906 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.161585093 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.161655903 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.165838003 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.165935040 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.166899920 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.166941881 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.166979074 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.166997910 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.167009115 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.167094946 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.167139053 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.167263031 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.167320967 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.171904087 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.171993971 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.229931116 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.230452061 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.236476898 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.369517088 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.369621992 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.370261908 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.370342970 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.413865089 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.554260969 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.554361105 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.724045038 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.860447884 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.901645899 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.901680946 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.901840925 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.907107115 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:29.907636881 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.914733887 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.942310095 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:29.943902016 CEST	49704	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.050940037 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.051835060 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.051877975 CEST	443	49702	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.051985979 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.052036047 CEST	49702	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.079746008 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.079807997 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.079833984 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.079870939 CEST	443	49703	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.079973936 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.080024004 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.080056906 CEST	443	49704	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.082957983 CEST	49704	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.085738897 CEST	49704	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.110363960 CEST	49703	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.113524914 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.132872105 CEST	49706	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.133332968 CEST	49707	443	192.168.2.5	104.18.10.207
Apr 12, 2021 14:00:30.133775949 CEST	49708	443	192.168.2.5	104.18.10.207
Apr 12, 2021 14:00:30.165255070 CEST	443	49705	104.16.18.94	192.168.2.5
Apr 12, 2021 14:00:30.165364027 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.166059017 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.184590101 CEST	443	49707	104.18.10.207	192.168.2.5
Apr 12, 2021 14:00:30.184634924 CEST	443	49706	104.16.18.94	192.168.2.5
Apr 12, 2021 14:00:30.184701920 CEST	49707	443	192.168.2.5	104.18.10.207
Apr 12, 2021 14:00:30.184727907 CEST	49706	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.185177088 CEST	443	49708	104.18.10.207	192.168.2.5
Apr 12, 2021 14:00:30.185288906 CEST	49708	443	192.168.2.5	104.18.10.207
Apr 12, 2021 14:00:30.188401937 CEST	49707	443	192.168.2.5	104.18.10.207
Apr 12, 2021 14:00:30.189078093 CEST	49708	443	192.168.2.5	104.18.10.207
Apr 12, 2021 14:00:30.189793110 CEST	49706	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.217561960 CEST	443	49705	104.16.18.94	192.168.2.5
Apr 12, 2021 14:00:30.219093084 CEST	443	49705	104.16.18.94	192.168.2.5
Apr 12, 2021 14:00:30.219134092 CEST	443	49705	104.16.18.94	192.168.2.5
Apr 12, 2021 14:00:30.219213009 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.219903946 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.222049952 CEST	443	49704	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.223014116 CEST	443	49704	64.187.225.237	192.168.2.5
Apr 12, 2021 14:00:30.225363970 CEST	49704	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.229600906 CEST	49704	443	192.168.2.5	64.187.225.237
Apr 12, 2021 14:00:30.234888077 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.235307932 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.235522985 CEST	49705	443	192.168.2.5	104.16.18.94
Apr 12, 2021 14:00:30.239530087 CEST	443	49707	104.18.10.207	192.168.2.5
Apr 12, 2021 14:00:30.240516901 CEST	443	49708	104.18.10.207	192.168.2.5
Apr 12, 2021 14:00:30.241213083 CEST	443	49706	104.16.18.94	192.168.2.5
Apr 12, 2021 14:00:30.241992950 CEST	443	49707	104.18.10.207	192.168.2.5
Apr 12, 2021 14:00:30.242031097 CEST	443	49707	104.18.10.207	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:00:22.316421986 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:22.378357887 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:27.627353907 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:27.685997963 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:28.785471916 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:28.870233059 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:29.913161993 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:29.921330929 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:29.930213928 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:29.972995043 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:29.973059893 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:29.990211964 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:44.466003895 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:44.517628908 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:45.331798077 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:45.389096975 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:46.030978918 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:46.082648993 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:49.745277882 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:49.803940058 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:54.173959017 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:54.222749949 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:55.384599924 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:55.436132908 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:57.391397953 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:57.442430973 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 12, 2021 14:00:57.619592905 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 12, 2021 14:00:57.672566891 CEST	53	54757	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 14:00:28.785471916 CEST	192.168.2.5	8.8.8.8	0xdadb	Standard query (0)	goldenislesskincare.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:29.913161993 CEST	192.168.2.5	8.8.8.8	0xad09	Standard query (0)	maxcdn.bootstrapcdn.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:29.930213928 CEST	192.168.2.5	8.8.8.8	0x75a	Standard query (0)	cdnjs.cloudflare.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:45.331798077 CEST	192.168.2.5	8.8.8.8	0x83d2	Standard query (0)	goldenislesskincare.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 12, 2021 14:00:28.870233059 CEST	8.8.8.8	192.168.2.5	0xdadb	No error (0)	goldenislesskincare.com	64.187.225.237	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:29.973059893 CEST	8.8.8.8	192.168.2.5	0xad09	No error (0)	maxcdn.bootstrapcdn.com	104.18.10.207	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:29.973059893 CEST	8.8.8.8	192.168.2.5	0xad09	No error (0)	maxcdn.bootstrapcdn.com	104.18.11.207	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:29.990211964 CEST	8.8.8.8	192.168.2.5	0x75a	No error (0)	cdnjs.cloudflare.com	104.16.18.94	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:29.990211964 CEST	8.8.8.8	192.168.2.5	0x75a	No error (0)	cdnjs.cloudflare.com	104.16.19.94	A (IP address)	IN (0x0001)
Apr 12, 2021 14:00:45.389096975 CEST	8.8.8.8	192.168.2.5	0x83d2	No error (0)	goldenislesskincare.com	64.187.225.237	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 12, 2021 14:00:29.165838003 CEST	64.187.225.237	443	192.168.2.5	49703	CN=goldenislesskincare.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Apr 11 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sun Jul 11 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Apr 12, 2021 14:00:29.171904087 CEST	64.187.225.237	443	192.168.2.5	49702	CN=goldenislesskincare.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Apr 11 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sun Jul 11 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Apr 12, 2021 14:00:30.219134092 CEST	104.16.18.94	443	192.168.2.5	49705	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Oct 21 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Thu Oct 21 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.219134092 CEST	104.16.18.94	443	192.168.2.5	49705	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.242031097 CEST	104.18.10.207	443	192.168.2.5	49707	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Mar 01 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Tue Mar 01 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.242031097 CEST	104.18.10.207	443	192.168.2.5	49707	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.242824078 CEST	104.16.18.94	443	192.168.2.5	49706	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Oct 21 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Thu Oct 21 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.242824078 CEST	104.16.18.94	443	192.168.2.5	49706	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.246119022 CEST	104.18.10.207	443	192.168.2.5	49708	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Mar 01 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Tue Mar 01 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:30.246119022 CEST	104.18.10.207	443	192.168.2.5	49708	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Apr 12, 2021 14:00:45.675885916 CEST	64.187.225.237	443	192.168.2.5	49712	CN=goldenislesskincare.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Apr 11 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sun Jul 11 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 2548 Parent PID: 792

General

Start time:	14:00:27
Start date:	12/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff646510000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 5964 Parent PID: 2548

General

Start time:	14:00:27
Start date:	12/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2548 CREDAT:17410 /prefetch:2
Imagebase:	0x2e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://goldenislesskincare.com/office365/index.php

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 2548 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 5964 Parent PID: 2548

General

Disassembly