Analysis Report https://hangouts.google.com/linkredirect?dest=http://Nrstpa.lwfiacades.com/drogers@nrstpa.com

Overview

General Information

Sample URL:	https://hangouts.google.com/linkredirect?dest=http://Nrstpa.lwfiacades.com/drogers@nrstpa.com
Analysis ID:	412578
Infos:
Most interesting Screenshot:

Detection

Phisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Phishing site detected (based on favicon image match)

Yara detected Phisher

Phishing site detected (based on logo template match)

HTML body contains low number of good links

HTML title does not match URL

URL contains potential PII (phishing indication)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: https://hangouts.google.com/linkredirect?dest=http://Nrstpa.lwfiacades.com/drogers@nrstpa.com

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Phishing site detected (based on favicon image match)

Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=

Matcher: Template: microsoft matched with high similarity

Yara detected Phisher

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\drogers@nrstpa[1].htm, type: DROPPED

Phishing site detected (based on logo template match)

Matcher: Template: microsoft matched

HTML body contains low number of good links

Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: Number of links: 0
Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: Title: Sign in to your account does not match URL

URL contains potential PII (phishing indication)

Source: https://hangouts.google.com/linkredirect?dest=http://Nrstpa.lwfiacades.com/drogers@nrstpa.com

Sample URL: PII: drogers@nrstpa.com

Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: No <meta name="author".. found
Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: No <meta name="author".. found

Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: No <meta name="copyright".. found
Source: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 20.36.46.16:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.36.46.16:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.36.46.16:443 -> 192.168.2.7:49736 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16
Source: unknown	TCP traffic detected without corresponding DNS query: 20.36.46.16

Source: global traffic	HTTP traffic detected: GET /drogers@nrstpa.com HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nrstpa.lwfiacades.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ZeroSSLRSADomainSecureSiteCA.crt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: zerossl.crt.sectigo.com
Source: global traffic	HTTP traffic detected: GET /ZeroSSLRSADomainSecureSiteCA.crt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: zerossl.crt.sectigo.com

Source: unknown

DNS traffic detected: queries for: nrstpa.lwfiacades.com

Source: url[1].htm.3.dr	String found in binary or memory: http://Nrstpa.lwfiacades.com/drogers
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr	String found in binary or memory: http://nrstpa.lwfiacad/url?hl=en-US&q=http://Nrstpa.lwfiacades.com/drogers
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr, ~DF4FBE3EEF91A8D364.TMP.2.dr	String found in binary or memory: http://nrstpa.lwfiacades.com/drogers
Source: KFOmCnqEu92Fr1Mu4mxP[1].ttf.3.dr, KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf.3.dr, KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf.3.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 10BDC45B4A27319429BBC4F08A4E8A10.3.dr	String found in binary or memory: http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
Source: drogers@nrstpa[1].htm.3.dr	String found in binary or memory: https://20.36.46.16/?drogers
Source: imagestore.dat.3.dr	String found in binary or memory: https://20.36.46.16/css/favicon.ico
Source: imagestore.dat.3.dr	String found in binary or memory: https://20.36.46.16/css/favicon.ico~
Source: imagestore.dat.3.dr	String found in binary or memory: https://20.36.46.16/css/favicon.ico~(
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr, ~DF4FBE3EEF91A8D364.TMP.2.dr	String found in binary or memory: https://20.36.46.16/en?MTYyMDg0MTE2OGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJmOGEyMTQ5Y
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr	String found in binary or memory: https://20.36.46.16/enes.com/drogers
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr	String found in binary or memory: https://20.36.46.16/eu
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr	String found in binary or memory: https://20.36.46.16/eu?MTYyMDg0MTE2OGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJmOGEyMTQ5Y
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr, ~DF4FBE3EEF91A8D364.TMP.2.dr	String found in binary or memory: https://20.36.46.16/eu?MTYyMDg0MTE3M2I4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJlMDE1ZTUwY
Source: imagestore.dat.3.dr	String found in binary or memory: https://20.36.46.16/favicon.ico~
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr	String found in binary or memory: https://20.36.46.16/fu
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr, ~DF4FBE3EEF91A8D364.TMP.2.dr	String found in binary or memory: https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDR
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#localhost_support
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://support.google.com/recaptcha
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://support.google.com/recaptcha#6262736
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://support.google.com/recaptcha/#6175971
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
Source: imagestore.dat.3.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.3.dr	String found in binary or memory: https://www.google.com/favicon.ico~
Source: recaptcha__en[1].js.3.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: en[1].htm.3.dr	String found in binary or memory: https://www.google.com/recaptcha/api.js?render=6LerpdEaAAAAAJwOd98lgB6kaXYe16lqEK7JOj_Z
Source: anchor[1].htm.3.dr, api[1].js.3.dr, recaptcha__en[1].js.3.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LerpdEaAAAAAJwOd98lgB6kaXYe16lqEK7JOj_Z&co=aHR0
Source: {6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat.2.dr, ~DF4FBE3EEF91A8D364.TMP.2.dr	String found in binary or memory: https://www.google.com/url?hl=en-US&q=http://Nrstpa.lwfiacades.com/drogers
Source: anchor[1].htm.3.dr, webworker[1].js.3.dr, api[1].js.3.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/releases/npGaewopg1UaB8CNtYfx-y1j/recaptcha__en.js
Source: anchor[1].htm.3.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/releases/npGaewopg1UaB8CNtYfx-y1j/styles__ltr.css

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 20.36.46.16:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.36.46.16:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.36.46.16:443 -> 192.168.2.7:49736 version: TLS 1.2

Source: classification engine

Classification label: mal68.phis.win@3/32@2/4

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C8C9A57-B394-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF7E71A0877BF7B1F1.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5696 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5696 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.199.212.52	crt.sectigo.com	United Kingdom	48447	SECTIGOGB	false
20.36.46.16	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
51.103.149.73	nrstpa.lwfiacades.com	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
crt.sectigo.com	91.199.212.52	true
nrstpa.lwfiacades.com	51.103.149.73	true
zerossl.crt.sectigo.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nrstpa.lwfiacades.com/drogers@nrstpa.com	false	Avira URL Cloud: safe	unknown
https://20.36.46.16/fuo98h5j0z7ia3xk2mwbq1lt?MTYyMDg0MTE3NGI4ZGUyMDc5OWY0OGIwZDAzNDk4MDhjZmJkNzg4MDRhNWJmNTFkMmJkYTM1YmYyZjZhZDNkOGVjZTA2NTcyNmUzODk5NmY1Yw==&id=38342e31372e35322e3738&email=drogers@nrstpa.com&logo=b2ZmaWNlL2Jhbm5lci5wbmc/YW55aG9wZQ==&background=b2ZmaWNlL2JhY2tncm91bmQuanBnP2FueWhvcGU=	true		unknown
http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt	false	Avira URL Cloud: safe	unknown

ID:	412578
Product:	CloudBasic
Start time:	19:38:34
Start date:	12.05.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10BDC45B4A27319429BBC4F08A4E8A10	data	5C8E451E4A7E09535AB02C6301187E84	CE337AB88CDAD351169A54668C6651E37D2C3A58	3BEE4411F74C082D025884DA0688FE633DF567E220D9D17FD2733AF378123E5C
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10BDC45B4A27319429BBC4F08A4E8A10	data	57737E1689CA31A69579323C46D3345F	6227D8E6518D92AB68810DDEDE532DDCE87C4FE2	BBBC6C1417D519BFA6F90D4EBDCC19678562D0E519F5A1E36D9F492D431745AE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\HI3R5GFT\www.google[1].xml	ASCII text, with very long lines, with no line terminators	21E6B036B80D38D437C14480676328D1	68A3CEE5336C6DFFAE167F7A07F6FEA1C22D2393	89E32AEAC89CC24F9795D8D08C4908676A0D8EAD57672E6DDCF167D2F173CF85
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\T8DRMTJ1\20.36.46[1].xml	ASCII text, with no line terminators	BCFEB714C58D1D958F2DF59E1ADFA7DD	6109CC0A55195C0DF7E436807A5C60FFED697CEB	E8295F0FB83D232ACAE77945ED8BB36A9AC6FF07EC05829FA31402979AE92C86
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C8C9A57-B394-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	26D6AF0E5BABCE356963E6A2DCF26B5D	21BCBB772BAD878A1723AB6557FE7F76E24DB7F1	8BE8B72B36E96F6F8A53806889B96396F180450718947AF86A85E467678AAA7A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6C8C9A59-B394-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	E3D15986536FDCE968CE8514D3140343	5006F64F7D1C19B085F98B1BEDA45112959E9E9C	3D95B8EAA36B574C03AD9701E6F620BCD1000E55C5CC9F0FEAC822FD1105FA73
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{765A0962-B394-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	9321BC40398EE4D65587DF1952C9DF20	21455E739E863DE964FAAC6036A5C53460341A3A	B497F332694B91358F6E39ABA6CD346B12322276E54A7F03BCC7CAC9AF3BD8B1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\po60zt0\imagestore.dat	data	FD66FD5A2EE3E3853D474DA11C0EDA43	80D3E7435205D9DE27DCEDB6E0F31ECB769D6A65	30E698B994CB8D0845A9704EF7DC304E4BE58508016A83BAAFEFE403D1AEDAA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf	TrueType Font data, 18 tables, 1st "GDEF", 8 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.Roboto MediumRegularVersion 2.137; 2017Roboto-Me	4D88404F733741EAACFDA2E318840A98	49E0F3D32666AC36205F84AC7457030CA0A9D95F	B464107219AF95400AF44C949574D9617DE760E100712D4DEC8F51A76C50DDA1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf	TrueType Font data, 18 tables, 1st "GDEF", 8 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.Roboto BlackRegularVersion 2.137; 2017Roboto-Bla	4D99B85FA964307056C1410F78F51439	F8E30A1A61011F1EE42435D7E18BA7E21D4EE894	01027695832F4A3850663C9E798EB03EADFD1462D0B76E7C5AC6465D2D77DBD0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\KFOmCnqEu92Fr1Mu4mxP[1].ttf	TrueType Font data, 18 tables, 1st "GDEF", 8 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.RobotoRegularVersion 2.137; 2017Roboto-Regularht	372D0CC3288FE8E97DF49742BAEFCE90	754D9EAA4A009C42E8D6D40C632A1DAD6D44EC21	466989FD178CA6ED13641893B7003E5D6EC36E42C2A816DEE71F87B775EA097F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\anchor[1].htm	HTML document, ASCII text, with very long lines	78738D182FF6BD5F50FB4F17AEF1131E	44D9667F4580232E5E15F93FC9DA7BE10F574297	8F80D647CF7B1D4243EC9A005892D542B0529C8A62C18F3BA33DAFDDEA65F182
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel	F3418A443E7D841097C714D69EC4BCB8	49263695F6B0CDD72F45CF1B775E660FDC36C606	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\styles__ltr[1].css	ASCII text, with very long lines, with no line terminators	182B64B9E3032D6BA48A0A6C854032B0	879537EC1D2CE611AE82B784A25A3E2CDC1EC6FC	94B328F86382CDA7D83CEBB40EE8DD8F567582A60BA91A90A37F490B0F0EDEFA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\arrow_left[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\banner[1].png	PNG image data, 108 x 24, 8-bit/color RGBA, non-interlaced	0FE091116AC9646D59E1ED2CA60A9826	FD00FCAEA832259B68B03389A5D69D47D8FDC8AA	D7B50AE5C86E819103451897C80511EFAEC3F05A604CD38718BE14FA7D1390A0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\default[1].css	ASCII text, with very long lines	48ACCE3492C87668FE2FB1F531CA08A5	9382ABCBE4C89108F5ED6E5B9DD8860CC7EF6A07	851422AB92F34CD3F6C983301748A797B51F5E9BC0A6FE6CEC5C955BFD132D21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\drogers@nrstpa[1].htm	HTML document, ASCII text	65F40437AFA7927AC0350629B49427A9	C6072CE0E589E2104FAB2A3953EB3762AC832DE1	E954C62ABAE826989BFDBF02DFB26DCF18B6F6AADAD261D69C06C9F658C1E068
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\eu[1].htm	HTML document, UTF-8 Unicode (with BOM) text, with very long lines	DF8B636B8D324564B300BCE8570701AA	0786E241D0E783D40F08698EEAA15C2A67FF0533	2C9E05D06BDC04E88E2BFA56DE581FD16D0473C67A5069FCB22F9E80F33D0A70
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	1E7D0E39C30B085C52379E9B837C4CAA	460E0AE68A6C545A5523A9E58012D273FB915600	E7B0EBAFAEB03607B1C5342F52CCFEE82554BBD337920A6C7D009815A417D809
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\fuo98h5j0z7ia3xk2mwbq1lt[1].htm	HTML document, UTF-8 Unicode (with BOM) text, with very long lines	D194CBD3469F9A7F77DDF76A0CF26EAC	C140A36E93E308E3D4EE65FBAF73BE6F016519A5	D305548D496DBF81E0417EC1F620A6A23A320ADD3E7DE1BD8A947A5828917266
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\favicon[1].ico	MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\logo_48[1].png	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	EF9941290C50CD3866E2BA6B793F010D	4736508C795667DCEA21F8D864233031223B7832	1B9EFB22C938500971AAC2B2130A475FA23684DD69E43103894968DF83145B8A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\recaptcha__en[1].js	ASCII text, with very long lines	87FBEAD296F0B44EE37ECF914E7BBB5D	6A51A4F3ECDE8ABDEF98773D84F012FF9DDE5101	99416B76EF60008EDC2057882BFB782E731A5A32264D60C7F2A5F69E577C618D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\url[1].htm	HTML document, ASCII text, with CRLF, LF line terminators	33E2EAE05442443B9C6A533873A7C605	C675834C09A7F8F8B3118ACF406AE8ECEEC91261	56BCC5624B18AA0691F646675EFFBBC67778E0F927D703D28413E5DD77DCB14D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\api[1].js	ASCII text, with very long lines, with no line terminators	73D5ABE263F69F6A69FA92F372E13F0B	E67CC7D669607D22AD76CEF614A3A1C695CC4084	E5925A2755538844C7F961842E468BC6E0ED8F1522677D181DBD8CB0C2069252
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\background[1].jpg	JPEG image data, baseline, precision 8, 1920x1080, frames 3	7916A894EBDE7D29C2CC29B267F1299F	78345CA08F9E2C3C2CC9B318950791B349211296	D8F5AB3E00202FD3B45BE1ACD95D677B137064001E171BC79B06826D98F1E1D3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\en[1].htm	HTML document, UTF-8 Unicode text, with CRLF line terminators	24A60766464F5B2BD6F87876B7DA3D95	FE055D077095DBC3482938E87B0E7B8C7CEF16BA	A0E2E1867725DC41D4F429D92BA2A19A53674831D992A3F81067D3FAE9967B2E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\webworker[1].js	ASCII text, with no line terminators	C4DAA7D3BCA5413BE7BE44A9B9A25E11	E06511C7E20394362B45E888CE1C98D02AC15084	B0969F0CA46A6F19D27F76E8ED98F974395121D227C3085ED9325A63CCCE3102
C:\Users\user\AppData\Local\Temp\~DF4FBE3EEF91A8D364.TMP	data	D25C52546F613F8B90396A57DB845C64	4AA9E012FE27A877DACB444500887E0D6C77E945	25816A27F1603E17D573EDB94261F4AFF7550A5A88ED74A5D5F53B1CD1F92C38
C:\Users\user\AppData\Local\Temp\~DF7E71A0877BF7B1F1.TMP	data	996649C98315D82E24B33D7F2211479C	3E1D95A890CE705753FF107A09D0F06821A6DA79	22B455D7D93CD23E2F7D8A5A788705B07470336FEA7CBFFF7F6BAB2FAEF9B57F
C:\Users\user\AppData\Local\Temp\~DFEA5CD8702A3FE0A4.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA

Analysis Report https://hangouts.google.com/linkredirect?dest=http://Nrstpa.lwfiacades.com/drogers@nrstpa.com

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs